Premera Data-Breach Class Action Claims Illustrate Cyber Coverage Issues

The massive data breach at Washington health insurer Premera Blue Cross Blue Shield has spawned at last count fifteen class action lawsuits in Washington alone and least one suit in Oregon federal court.  The suits allege that over 11 million records were exposed in the hack, including not just personally identifiable information but also health treatment and medication histories.

Examining the allegations in these class action complaints, and the differences among them, is instructive for those of us advising clients on insuring against these kinds of risks, because this will not be the last time this kind of breach will occur.  This post will focus on only two of the many issues that these complaints raise.

I should emphasize that I know nothing about Premera's insurance situation, and that the discussion below is purely based on general observations. Also, the below comments should not be taken as commentary on the validity or any of the plaintiffs' claims (some of which -- like the "bailment" claim -- have been rejected in other class action suits).

Timing Issues & Known Loss.    One of the more striking things about the complaints against Premera is the contention that Premera knew that its systems were vulnerable, and  that it had been hacked, well before it disclosed the data breach to its customers.  Each of the complaints claim that the federal Officer of Personnel Management audited Premera's systems in early 2014 and that on April 18, 2014 Premera received a report from OPM that its systems were vulnerable to attack due to (among other things) failure to make updates to security software, and that the hackers infiltrated Premera's IT system almost immediately thereafter, in early May, 2014.   The complaints also allege that Premera knew that it had been hacked in January, 2015.  But Premera did not disclose the breach to customers until March, 2015.

This brings to mind common coverage defenses used by insurers who issue "claims made" policies, which most cyber coverage policies are: that the claim was known earlier than it was reported.  A claims-made policy provides liability coverage for claims made against the insured during the policy year, irrespective of when the incident happened.  That would mean that a complaint filed against Premera in April, 2015 would generally be covered by its policy in effect in April, 2015.  But what if Premera knew that it would very likely be sued before that policy period started, or before it even applied for the policy?  And what if it failed to disclose what it knew during the application process?  All of these are issues commonly raised by insurance carriers looking to get out of paying a loss.

Also, cyber coverage in particular is often tied not only to when a claim is made but also to when the "wrongful act" or "negligent act" that allowed the breach to happen took place.  Coverage is sometimes conditioned on the negligent act having occurred within a certain time span prior to the beginning date of the policy, referred to as the "retroactive date."  It is increasingly common to hear that a "hack" was accomplished months before the data breach was discovered.  If the hackers got in before the retroactive date, does that mean no coverage?

Claims Under State Data Breach Laws.   Most of the complaints contain a claim under Washington's "Data Disclosure Law," but not a direct claim under the Oregon analogue.  Why?  Because the Washington law expressly provides a private cause of action for damages if any Washington company fails to promptly notify consumers of a breach.  Oregon law ( http://www.oregonlaws.org/ors/646A.624) does not provide for a private cause of action.  The Washington statute, however, does not provide for any kind of minimal or statutory damages, and requires that the customer have been "injured" to maintain a suit.  That is both good for the defense of the claim (since the customers may have trouble establishing standing if their personal data has not actually been used, as discussed in this post), and good for coverage.  Cyber policies, like many similar kinds of policies, often provide coverage for "damages" but exclude coverage for "penalties and fines," leading to coverage disputes about whether statutory damages are in fact "damages."  Some states, like Arizona, provide civil penalties for violations of breach laws. And increasingly cyber policies are providing coverage for some kinds of regulatory fines or penalties, which is a good thing particularly given the recent news about large HIPAA fines.

In addition to the claim under the Washington statute, and in lieu of a direct claim under the Oregon statute, many of the complaints bring claims under the Washington and Oregon unfair trade practices or "consumer protection" statutes.   Potentially relevant to coverage are the claims under those statutes for treble damages.  Carriers routinely argue that the multiplied portions of awards are uninsurable punitive damages or are not covered as a penalty. 

There is no question that a large damages exposure will give an insurer incentive to take aggressive coverage positions. Data breach suits will be no exception. Savvy policyholder advisors will need to anticipate these defenses and plan accordingly.  So stay tuned for further reflections on the coverage issues that may arise from the Premera and similar suits.

Idaho Court Gives Win to Policyholder Where Exclusion Conflicts With Coverage Grant

Policyholders celebrated a win from Idaho's federal courts in IDAHO TRUST BANK v. BancINSURE, INC.,  involving a conflict between an exclusion and the coverage grant.  Here's a brief  factual set up: a bank agreed to loan money to its customer to buy steel to build  a new building.  The bank failed to come through with the loan and company sued.  The bank's insurer (under an Errors-and-Omissions type policy) defended the bank under the "lender liability" coverage portion.  This is a common provision in bank policies, covering errors committed in making a loan, failing to make a loan, or connected with making a loan.  The bank and the company settled round 1 of the litigation, but the bank somehow failed to live up to its end of the bargain, resulting in the litigation being revived, and the company adding claims against the insured bank for breach of the settlement agreement.

After some procedural maneuvering in the underlying case the insurer pulled its defense, whereupon coverage litigation began.  The bank and its insurer filed cross-motions for summary judgment.  The insurer first asserted that the claim relating to the settlement agreement was not interrelated with the original claim, and since it had stopped insuring the bank after that original claim came in, there was no coverage (these policies are of course "claims made" policies).  The court rejected that argument, relying on the abundant case law interpreting the standard related-claims language to be very, very broad, and the somewhat muddy factual record about whether the insured had admitted that the claims were independent.

The insurer also relied on its policy's "contractual liability" exclusion as precluding the claim for breach of the settlement agreement. However, the court noted that the coverage part that had clearly applied to the original complaint - coverage for "lending liability" - defined lending in terms of an "agreement" with someone to make a loan.  Therefore, there was a conflict between the coverage grant for "lending liability" and the contractual liability exclusion.  The court held that an insurer cannot enforce an exclusion that eats so directly into the promised coverage, and refused to interpret the contractual liability exclusion so broadly that it would exclude a breach of contract claim that arose out of a failure to make a promised loan.

Thanks to two other bloggers: D&O Diary and Jones Lemon Graham's D&O Digest, for tipping me off to this Northwest case.