Lessons From CNA's Suit to Avoid Covering a Hospital Cyber-Breach

A few weeks ago the insurance-coverage community experienced a watershed event: the first publicized lawsuit by an insurer for a declaration of "no coverage" under a cyber-insurance policy.  The case is Columbia Casualty Company v. Cottage Health Systems, filed in the Central District of California, and the issue is the insured's compliance with a pledge that it would use "minimum required" data-security practices.  This case holds important lessons for those considering cyber coverage - chiefly, be careful what you say in your application, and don't think that your insurer is going to treat you with kid gloves just because cyber coverage is a new product.

(NB: although we wouldn't normally cover California litigation, this filing raises red-hot issues so we decided to make an exception.)

The Cottage Health data breach was caused by user error, which is reported to be the leading cause of data security incidents across all sectors of the economy.   Cottage is a three-hospital health system in the Santa Barbara area.  According to published reports, the hospital contracted with an IT firm, "InSync," to put medical records on a File Transfer Protocol ("FTP") server so that they could be accessed remotely, but no-one made sure that access to the records was locked-down to credentialed people only, or encrypted.  As a result the FTP files were available to Google's search "bots", and could be found by using a Google search.  Reportedly only after someone reported the issue to the hospital was the error caught.  A class-action suit against Insync and Cottage followed, alleging (among other things) violations of California's Confidentiality of Medical Information Act.  Apparently the state DOJ is also investigating possible HIPAA violations.

Cottage's cyber-liability insurer, Columbia Casualty (owned by mega-insurer CNA), picked up the defense, and even funded a $4.1 million settlement with the class, but under a reservation of rights.   In the new coverage lawsuit CNA is suing Cottage to get the settlement money -- and all of its defense costs -- back from Cottage.

CNA, like many insurers, required Cottage to fill out a detailed cyber coverage application and "self-assessment" which involved answering a host of questions about IT security practices.  Most of the questions were broadly worded, such as "Do you re-assess your exposure to information security and privacy threats at least yearly, and enhance your risk controls in response to changes?"  A few of the questions were more specific, however, such as whether Cottage routinely changed default software settings if required to make systems secure.  The application also addressed the use of vendors, including questions about whether Cottage required its third-party vendors to observe the same or stricter security practices as those used by Cottage, and whether Cottage required vendors to have cyber-liability insurance.  (Cottage of course answered "yes" to all questions.) 

The application and the policy itself contained several kinds of "warranties" about Cottage's compliance with security standards, and the policy contained an exclusion that coverage would not be provided for damages resulting from "[a]ny failure of an Insured to continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance and all related information submitted to the Insurer in conjunction with such application whether orally or in writing . . ." (emphasis added).

CNA claims that Cottage's "yes" answers on the application were false or that if the answers were true when the application was made, Cottage subsequently failed to "maintain" those practices.  Although CNA's complaint does not specifically say what Cottage didn't do that it should have done, reading between the lines it appears that CNA is focusing on three contentions: first, that the breach occurred because the vendor, InSync, failed to change the default FTP setting on the server software from "open access" to password-only access; second, the medical data was not encrypted on the server; and third, that Cottage did not make sure that InSync had cyber insurance coverage of its own.

This is something of a nightmare scenario for those of us who advise policyholders on cyber liability and coverage.  There are several "weak links" when it comes to cyber, and this case appears to hit on several of them.

First, because there is so little claims history in the "cyber" world, and because the risks are so high, insurers are requiring applicants to answer lots of questions and go through unusually detailed "self-assessments."  That's not a problem if the folks filling out the application thoroughly vet the answers with IT, legal, and the contracts department. But any breakdown in communication among those players can result in coverage problems.

Second, because of the evolving nature of cyber risks (and because it is the nature of their approach to the business) insurance companies frequently use vague wording in application materials and in their policies.  Vague language allows the insurer to argue after the fact a particular meaning that favors them.  We can see that in action in this case, in the question asking whether Cottage did a yearly re-assessment of risks and "enhanced" its "risk controls in response to changes."  What does that mean?  Does that mean that if there is an increase in "spear-phishing" attacks the company must eliminate the use of email?  Or is it good enough to adopt published "best practices" - a rule of reasonableness?  Those are the kind of questions that may be litigated in this case - questions that could have been avoided if the insurer had not been able to get away with vague language that it could later use to its advantage.

Third, vendors.  Vendors, the cause of so many data security problems, create substantial problems when it comes to insurance.  What is a reasonable security precaution to a hospital may seem like overkill to an outsourced IT or cloud provider, or the reverse may be true, and there is often no practical way to monitor changes that a vendor makes in its security practices.  That makes it very difficult to accurately answer a question about whether a vendor uses the same security standards as the insurance applicant.  It is also particularly difficult to ensure, as the CNA application asked, that every vendor "maintain[s] enough insurance to cover their liability arising from a breach of privacy or confidentiality" when there are no standardized forms for cyber coverage that can be required in the vendor contract, and where the risks to the vendor may be dramatically different than those of the customer.

In this case it appears that CNA is trying to avoid coverage using Cottage's "warranty" to comply with vaguely-worded promises that Cottage made about its security practices in a case where negligent oversight of a vendor caused an accidental data breach.  That is, of course, exactly why a business buys liability insurance - to cover an accident caused through negligence.  The fact that CNA is relying on vague language against its customer, Cottage, rather than giving Cottage the benefit of the doubt, demonstrates that this insurer, at least, is willing to use the kind of sharp-elbow tactics to limit its loss payments that we see with other kinds of coverage.  In other words, cyber coverage is not going to be treated differently by the insurance industry and its lawyers.

To try to avoid this kind of situation, businesses would be well advised to treat cyber coverage applications very carefully, to try to negotiate "warranty" language that is less onerous and open-ended, and to exercise increased oversight of vendor contracts and compliance with contract terms, including actually reviewing the vendor's insurance policies and security practices.  Taking those steps will not of course eliminate coverage disputes of this sort, but in this area, every step is an important one.    

Premera Data-Breach Class Action Claims Illustrate Cyber Coverage Issues

The massive data breach at Washington health insurer Premera Blue Cross Blue Shield has spawned at last count fifteen class action lawsuits in Washington alone and least one suit in Oregon federal court.  The suits allege that over 11 million records were exposed in the hack, including not just personally identifiable information but also health treatment and medication histories.

Examining the allegations in these class action complaints, and the differences among them, is instructive for those of us advising clients on insuring against these kinds of risks, because this will not be the last time this kind of breach will occur.  This post will focus on only two of the many issues that these complaints raise.

I should emphasize that I know nothing about Premera's insurance situation, and that the discussion below is purely based on general observations. Also, the below comments should not be taken as commentary on the validity or any of the plaintiffs' claims (some of which -- like the "bailment" claim -- have been rejected in other class action suits).

Timing Issues & Known Loss.    One of the more striking things about the complaints against Premera is the contention that Premera knew that its systems were vulnerable, and  that it had been hacked, well before it disclosed the data breach to its customers.  Each of the complaints claim that the federal Officer of Personnel Management audited Premera's systems in early 2014 and that on April 18, 2014 Premera received a report from OPM that its systems were vulnerable to attack due to (among other things) failure to make updates to security software, and that the hackers infiltrated Premera's IT system almost immediately thereafter, in early May, 2014.   The complaints also allege that Premera knew that it had been hacked in January, 2015.  But Premera did not disclose the breach to customers until March, 2015.

This brings to mind common coverage defenses used by insurers who issue "claims made" policies, which most cyber coverage policies are: that the claim was known earlier than it was reported.  A claims-made policy provides liability coverage for claims made against the insured during the policy year, irrespective of when the incident happened.  That would mean that a complaint filed against Premera in April, 2015 would generally be covered by its policy in effect in April, 2015.  But what if Premera knew that it would very likely be sued before that policy period started, or before it even applied for the policy?  And what if it failed to disclose what it knew during the application process?  All of these are issues commonly raised by insurance carriers looking to get out of paying a loss.

Also, cyber coverage in particular is often tied not only to when a claim is made but also to when the "wrongful act" or "negligent act" that allowed the breach to happen took place.  Coverage is sometimes conditioned on the negligent act having occurred within a certain time span prior to the beginning date of the policy, referred to as the "retroactive date."  It is increasingly common to hear that a "hack" was accomplished months before the data breach was discovered.  If the hackers got in before the retroactive date, does that mean no coverage?

Claims Under State Data Breach Laws.   Most of the complaints contain a claim under Washington's "Data Disclosure Law," but not a direct claim under the Oregon analogue.  Why?  Because the Washington law expressly provides a private cause of action for damages if any Washington company fails to promptly notify consumers of a breach.  Oregon law ( http://www.oregonlaws.org/ors/646A.624) does not provide for a private cause of action.  The Washington statute, however, does not provide for any kind of minimal or statutory damages, and requires that the customer have been "injured" to maintain a suit.  That is both good for the defense of the claim (since the customers may have trouble establishing standing if their personal data has not actually been used, as discussed in this post), and good for coverage.  Cyber policies, like many similar kinds of policies, often provide coverage for "damages" but exclude coverage for "penalties and fines," leading to coverage disputes about whether statutory damages are in fact "damages."  Some states, like Arizona, provide civil penalties for violations of breach laws. And increasingly cyber policies are providing coverage for some kinds of regulatory fines or penalties, which is a good thing particularly given the recent news about large HIPAA fines.

In addition to the claim under the Washington statute, and in lieu of a direct claim under the Oregon statute, many of the complaints bring claims under the Washington and Oregon unfair trade practices or "consumer protection" statutes.   Potentially relevant to coverage are the claims under those statutes for treble damages.  Carriers routinely argue that the multiplied portions of awards are uninsurable punitive damages or are not covered as a penalty. 

There is no question that a large damages exposure will give an insurer incentive to take aggressive coverage positions. Data breach suits will be no exception. Savvy policyholder advisors will need to anticipate these defenses and plan accordingly.  So stay tuned for further reflections on the coverage issues that may arise from the Premera and similar suits.