Lessons From CNA's Suit to Avoid Covering a Hospital Cyber-Breach

A few weeks ago the insurance-coverage community experienced a watershed event: the first publicized lawsuit by an insurer for a declaration of "no coverage" under a cyber-insurance policy.  The case is Columbia Casualty Company v. Cottage Health Systems, filed in the Central District of California, and the issue is the insured's compliance with a pledge that it would use "minimum required" data-security practices.  This case holds important lessons for those considering cyber coverage - chiefly, be careful what you say in your application, and don't think that your insurer is going to treat you with kid gloves just because cyber coverage is a new product.

(NB: although we wouldn't normally cover California litigation, this filing raises red-hot issues so we decided to make an exception.)

The Cottage Health data breach was caused by user error, which is reported to be the leading cause of data security incidents across all sectors of the economy.   Cottage is a three-hospital health system in the Santa Barbara area.  According to published reports, the hospital contracted with an IT firm, "InSync," to put medical records on a File Transfer Protocol ("FTP") server so that they could be accessed remotely, but no-one made sure that access to the records was locked-down to credentialed people only, or encrypted.  As a result the FTP files were available to Google's search "bots", and could be found by using a Google search.  Reportedly only after someone reported the issue to the hospital was the error caught.  A class-action suit against Insync and Cottage followed, alleging (among other things) violations of California's Confidentiality of Medical Information Act.  Apparently the state DOJ is also investigating possible HIPAA violations.

Cottage's cyber-liability insurer, Columbia Casualty (owned by mega-insurer CNA), picked up the defense, and even funded a $4.1 million settlement with the class, but under a reservation of rights.   In the new coverage lawsuit CNA is suing Cottage to get the settlement money -- and all of its defense costs -- back from Cottage.

CNA, like many insurers, required Cottage to fill out a detailed cyber coverage application and "self-assessment" which involved answering a host of questions about IT security practices.  Most of the questions were broadly worded, such as "Do you re-assess your exposure to information security and privacy threats at least yearly, and enhance your risk controls in response to changes?"  A few of the questions were more specific, however, such as whether Cottage routinely changed default software settings if required to make systems secure.  The application also addressed the use of vendors, including questions about whether Cottage required its third-party vendors to observe the same or stricter security practices as those used by Cottage, and whether Cottage required vendors to have cyber-liability insurance.  (Cottage of course answered "yes" to all questions.) 

The application and the policy itself contained several kinds of "warranties" about Cottage's compliance with security standards, and the policy contained an exclusion that coverage would not be provided for damages resulting from "[a]ny failure of an Insured to continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance and all related information submitted to the Insurer in conjunction with such application whether orally or in writing . . ." (emphasis added).

CNA claims that Cottage's "yes" answers on the application were false or that if the answers were true when the application was made, Cottage subsequently failed to "maintain" those practices.  Although CNA's complaint does not specifically say what Cottage didn't do that it should have done, reading between the lines it appears that CNA is focusing on three contentions: first, that the breach occurred because the vendor, InSync, failed to change the default FTP setting on the server software from "open access" to password-only access; second, the medical data was not encrypted on the server; and third, that Cottage did not make sure that InSync had cyber insurance coverage of its own.

This is something of a nightmare scenario for those of us who advise policyholders on cyber liability and coverage.  There are several "weak links" when it comes to cyber, and this case appears to hit on several of them.

First, because there is so little claims history in the "cyber" world, and because the risks are so high, insurers are requiring applicants to answer lots of questions and go through unusually detailed "self-assessments."  That's not a problem if the folks filling out the application thoroughly vet the answers with IT, legal, and the contracts department. But any breakdown in communication among those players can result in coverage problems.

Second, because of the evolving nature of cyber risks (and because it is the nature of their approach to the business) insurance companies frequently use vague wording in application materials and in their policies.  Vague language allows the insurer to argue after the fact a particular meaning that favors them.  We can see that in action in this case, in the question asking whether Cottage did a yearly re-assessment of risks and "enhanced" its "risk controls in response to changes."  What does that mean?  Does that mean that if there is an increase in "spear-phishing" attacks the company must eliminate the use of email?  Or is it good enough to adopt published "best practices" - a rule of reasonableness?  Those are the kind of questions that may be litigated in this case - questions that could have been avoided if the insurer had not been able to get away with vague language that it could later use to its advantage.

Third, vendors.  Vendors, the cause of so many data security problems, create substantial problems when it comes to insurance.  What is a reasonable security precaution to a hospital may seem like overkill to an outsourced IT or cloud provider, or the reverse may be true, and there is often no practical way to monitor changes that a vendor makes in its security practices.  That makes it very difficult to accurately answer a question about whether a vendor uses the same security standards as the insurance applicant.  It is also particularly difficult to ensure, as the CNA application asked, that every vendor "maintain[s] enough insurance to cover their liability arising from a breach of privacy or confidentiality" when there are no standardized forms for cyber coverage that can be required in the vendor contract, and where the risks to the vendor may be dramatically different than those of the customer.

In this case it appears that CNA is trying to avoid coverage using Cottage's "warranty" to comply with vaguely-worded promises that Cottage made about its security practices in a case where negligent oversight of a vendor caused an accidental data breach.  That is, of course, exactly why a business buys liability insurance - to cover an accident caused through negligence.  The fact that CNA is relying on vague language against its customer, Cottage, rather than giving Cottage the benefit of the doubt, demonstrates that this insurer, at least, is willing to use the kind of sharp-elbow tactics to limit its loss payments that we see with other kinds of coverage.  In other words, cyber coverage is not going to be treated differently by the insurance industry and its lawyers.

To try to avoid this kind of situation, businesses would be well advised to treat cyber coverage applications very carefully, to try to negotiate "warranty" language that is less onerous and open-ended, and to exercise increased oversight of vendor contracts and compliance with contract terms, including actually reviewing the vendor's insurance policies and security practices.  Taking those steps will not of course eliminate coverage disputes of this sort, but in this area, every step is an important one.    

Premera Data-Breach Class Action Claims Illustrate Cyber Coverage Issues

The massive data breach at Washington health insurer Premera Blue Cross Blue Shield has spawned at last count fifteen class action lawsuits in Washington alone and least one suit in Oregon federal court.  The suits allege that over 11 million records were exposed in the hack, including not just personally identifiable information but also health treatment and medication histories.

Examining the allegations in these class action complaints, and the differences among them, is instructive for those of us advising clients on insuring against these kinds of risks, because this will not be the last time this kind of breach will occur.  This post will focus on only two of the many issues that these complaints raise.

I should emphasize that I know nothing about Premera's insurance situation, and that the discussion below is purely based on general observations. Also, the below comments should not be taken as commentary on the validity or any of the plaintiffs' claims (some of which -- like the "bailment" claim -- have been rejected in other class action suits).

Timing Issues & Known Loss.    One of the more striking things about the complaints against Premera is the contention that Premera knew that its systems were vulnerable, and  that it had been hacked, well before it disclosed the data breach to its customers.  Each of the complaints claim that the federal Officer of Personnel Management audited Premera's systems in early 2014 and that on April 18, 2014 Premera received a report from OPM that its systems were vulnerable to attack due to (among other things) failure to make updates to security software, and that the hackers infiltrated Premera's IT system almost immediately thereafter, in early May, 2014.   The complaints also allege that Premera knew that it had been hacked in January, 2015.  But Premera did not disclose the breach to customers until March, 2015.

This brings to mind common coverage defenses used by insurers who issue "claims made" policies, which most cyber coverage policies are: that the claim was known earlier than it was reported.  A claims-made policy provides liability coverage for claims made against the insured during the policy year, irrespective of when the incident happened.  That would mean that a complaint filed against Premera in April, 2015 would generally be covered by its policy in effect in April, 2015.  But what if Premera knew that it would very likely be sued before that policy period started, or before it even applied for the policy?  And what if it failed to disclose what it knew during the application process?  All of these are issues commonly raised by insurance carriers looking to get out of paying a loss.

Also, cyber coverage in particular is often tied not only to when a claim is made but also to when the "wrongful act" or "negligent act" that allowed the breach to happen took place.  Coverage is sometimes conditioned on the negligent act having occurred within a certain time span prior to the beginning date of the policy, referred to as the "retroactive date."  It is increasingly common to hear that a "hack" was accomplished months before the data breach was discovered.  If the hackers got in before the retroactive date, does that mean no coverage?

Claims Under State Data Breach Laws.   Most of the complaints contain a claim under Washington's "Data Disclosure Law," but not a direct claim under the Oregon analogue.  Why?  Because the Washington law expressly provides a private cause of action for damages if any Washington company fails to promptly notify consumers of a breach.  Oregon law ( http://www.oregonlaws.org/ors/646A.624) does not provide for a private cause of action.  The Washington statute, however, does not provide for any kind of minimal or statutory damages, and requires that the customer have been "injured" to maintain a suit.  That is both good for the defense of the claim (since the customers may have trouble establishing standing if their personal data has not actually been used, as discussed in this post), and good for coverage.  Cyber policies, like many similar kinds of policies, often provide coverage for "damages" but exclude coverage for "penalties and fines," leading to coverage disputes about whether statutory damages are in fact "damages."  Some states, like Arizona, provide civil penalties for violations of breach laws. And increasingly cyber policies are providing coverage for some kinds of regulatory fines or penalties, which is a good thing particularly given the recent news about large HIPAA fines.

In addition to the claim under the Washington statute, and in lieu of a direct claim under the Oregon statute, many of the complaints bring claims under the Washington and Oregon unfair trade practices or "consumer protection" statutes.   Potentially relevant to coverage are the claims under those statutes for treble damages.  Carriers routinely argue that the multiplied portions of awards are uninsurable punitive damages or are not covered as a penalty. 

There is no question that a large damages exposure will give an insurer incentive to take aggressive coverage positions. Data breach suits will be no exception. Savvy policyholder advisors will need to anticipate these defenses and plan accordingly.  So stay tuned for further reflections on the coverage issues that may arise from the Premera and similar suits.

Oregon District Court Provides Clarification on Environmental Coverage Issues

In the most recent opinion in the ongoing Marine Group litigation, Judge Acosta clarified two issues that recur in complex environmental insurance litigation: first, which party has the burden of proving that incurred defense costs were reasonable and necessary; and second, whether an insured can recover pre-tender defense costs.

Burden of Proving Reasonableness and Necessity

The issue of which party has the burden of proving, or disproving, that incurred defense costs were reasonable and necessary was addressed in Ash Grove Cement Co. v. Liberty Mut. Ins. Co. In that case, Judge Hernandez endorsed California's rule by holding that when" the insurer has breached its duty to defend, it is the insured that must carry the burden of proof on the existence and amount of the site investigation expenses, which are then presumed to be reasonable and necessary as defense costs, and it is the insurer that must carry the burden of proof that they are in fact unreasonable or unnecessary." Under the clear language of the Ash Grove opinion, a breaching insurer must prove the defense costs to be unreasonable and unnecessary, after the insured proves their existence and amount. Despite holding that this burden-shifting rule applies, Judge Hernandez's application of the rule was unclear, and several breaching insurers have questioned whether they do indeed have the burden of proving defense costs to be unreasonable and not necessary.

This question arose in Marine Group through a complicated motion to compel in which the relevancy of various documents was in question. In ruling on relevancy, Judge Acosta found that it was necessary to establish who has the burden on the issues of reasonableness and necessity. Judge Acosta endorsed the position taken by Judge Hernandez: that when a carrier has breached its duty to defend, the burden of proving the reasonableness and necessity of the fees shifts from the insured to the insurer. Thus, the insured's fees are presumed to be reasonable and necessary when an insurer has improperly breached its duty to defend. This is a win for policyholders, and should make it easier for insureds to recover fees when insurers have wrongfully refused to participate in a defense.

Another wrinkle in the Marine Group litigation is the presence of a paying insurer, Argonaut. Since early on in the defense, Argonaut has paid Marine Group's defense costs. Thus, most of the damages being sought are through a contribution action between insurers, and not a direct coverage claim. Marine Group, along with Argonaut, made the argument that since the claim is primarily a contribution action between insurers, the reasonableness and necessity of the fees was not at issue, but instead the issue is whether Argonaut acted as a reasonable insurer. Similarly, both parties made arguments under ORS 465.480(4)(d) that the common law of contribution was preempted and that the breaching insurers should be prohibited from questioning the defense costs incurred. Judge Acosta rejected this line of reasoning in holding that St. Paul could question the defense costs, but that it bore the burden of proving the fees to be unreasonable and not necessary.

Pre-Tender Defense Costs

While the Marine Group litigation primarily involves a contribution action between Argonaut and other insurers, Marine Group also has a direct contractual claim against its insurers for certain sums not paid by Argonaut. Some of these unpaid defense costs are pre-tender. In other words, they were incurred by Marine Group before it formally sent a letter to its insurers that detailed the claims faced and requested that a defense be provided.

Most states follow the rule that pre-tender defense costs cannot be recovered by an insurer; this underlines the importance of identifying, and tendering to, insurers at the earliest point of any litigation. Marine Group attempted to escape the strict application of the pre-tender rule by invoking the notice-prejudice rule, which does not allow an insurer to deny defense costs because of delayed notice, unless it can show that the delay caused prejudice to the insurer. Judge Acosta found the notice-prejudice rule to be inapplicable because the duty to defend did not arise until the tender occurred. Thus the court held that the notice-prejudice rule does not apply to pre-tender defense costs, because it applies only to covered claims.

Ultimately, Judge Acosta ruled that under Oregon law, pre-tender defense costs are not recoverable. This presents a particularly difficult situation for companies facing historic environmental liabilities. Typically, the only policies that cover historic pollution events were written before 1986. Many companies do not have readily available copies of these insurance contracts. Indeed, historic insurance archaeologists must often be retained to identify these policies. Judge Acosta's decision reinforces the rule that defense costs incurred while a party is looking for its insurance coverage are not recoverable, even to the extent that the delay does not meaningfully prejudice the insurers.

Cert Grant in FCRA Case Could Impact Cyber Coverage

News today that the Supreme Court has granted certiorari in Spokeo v. Robins, which tests whether Congress can confer "standing" by giving consumers a private right of action under a federal law, and entitlement to statutory damages, even if the consumer cannot prove any concrete damages.  The Court will review a decision by the Ninth Circuit that said, essentially, "yes" to that question.

In Robins, the plaintiff claimed to have been harmed when Spokeo, an online directory that aggregates publicly-available personal information, published inaccurate information about him on the site.  The plaintiff contended that in doing so Spokeo violated the Fair Credit Reporting Act (FCRA), but he could not prove specific damages tied to the inaccurate information.  Instead, he claimed entitlement under the FCRA to "statutory damages" (typically set at $1,000 per violation).  Robins sued on behalf of a class of people -- allegedly numbering in the thousands -- who were similarly aggrieved by Spokeo's failure to report accurate information. The trial court dismissed the suit based on the constitutional requirements that a plaintiff demonstrate "standing" based on "actual or imminent harm."  The Ninth Circuit, however, reversed, reasoning that Congress could create a statutory right and in essence create standing by providing a private right of action for violation of that right.  The Supreme Court has agreed to decide whether that view of Congress' power is correct.

What does this have to do with cyber-insurance?  Plenty. For one thing, the decision may undermine state laws that have fueled the market for robust first-party cyber coverage.  Many consumer advocates believe that data-breach notification laws will be ineffective at forcing businesses to "fess up" when a breach happens unless the breach law contains a private right of action with a small statutory damages component, modeled on FCRA.  Washington's data-breach law, recently amended, is just such a law.  The spread of such laws has driven the market for cyber policies that will cover not just the cost of  notifications but also for liability protection relating to breach notification.  And just as many predict that  legislation working its way through Congress allowing companies to confidentially share data on cyber breaches may eventually bring rates down, state legislation has had an impact on premiums that may be blunted by the Court's decision in Robins.

Beyond breach-notification laws, the way that the Supreme Court approaches the "actual or imminent harm" question could impact how courts handle data breach consumer lawsuits that do not rely on any federal statute but instead are based on common-law grounds, such as negligence or fiduciary duty.  Some courts have dismissed consumer lawsuits that fail to allege specific harm arising from a breach, while other courts have allowed those suits to proceed at least into the discovery phase.  The Supreme Court might take this opportunity to address "standing" more generally, leading to fewer consumer class actions, which could further result in lower premiums for cyber coverage.

Data Breaches at Franchisees Raise Cyber Insurance Issues

A recent article about a data breach at a Marriott franchise highlights an emerging cyber insurance issue for franchisors, and indeed all companies involved in contractual relationships that expose them to liability for cyber risks over which they may have little control.  

The article reports that a Marriott franchisee had a seven-month-long data breach relating to the food and beverage point-of-sale (POS) system at ten of its hotels.  Unfortunately, this kind of scenario is becoming commonplace - hackers exploiting weaknesses in POS security to obtain credit card numbers, often focusing on heavy users of POS systems like restaurants.  

But the franchise aspect of this incident clearly adds some wrinkles worth considering.  I reached out to my partner Shannon McCarthy, a member of our franchise & distribution practice group and frequent contributor to our firm's blog on franchise issues -- ZorBlog -- for some thoughts.

Shannon first confirmed that in the event of a consumer lawsuit over a data breach the franchisor will likely be sued along with the franchisee.  Franchisors are typically viewed as a "deep pocket" and so the plaintiff may seek to hold the franchisor directly or indirectly liable for the breach.  A franchisor might be liable if it controlled the consumer data, if it contractually required the franchisee to use a certain system or provided the system itself, or exercised control over the way that the franchisee collected or used the data.  As examples, Shannon pointed me to both this FTC suit against Wyndham Hotel Group and the consumer class action (and related FTC action) against the rent-to-own franchisor Aaron's, Inc.  

In the Wyndham case the FTC alleged that the hotelier, which operates through over 90 franchisees, itself was liable for data breaches at its franchise locations because the franchisor had made representations on its own website about data security, because it "allowed" franchisees to use improper software and lax security practices, and because its own data systems did not encrypt consumer information.  Wyndham has pushed back against the FTC's claims and has appealed an early ruling that the FTC has jurisdiction to pursue the claims, and recently defeated a related derivative action in federal court.  

In the Aaron's case, customers who rented laptops sued the franchisees and the franchisor alleging that spyware on the laptops captured keystrokes, browsing history, and screenshots, and took pictures of the customers using the computer's built-in camera, invading the customers' privacy.  (The customers' case was recently reinstated by the Third Circuit after having been dismissed on procedural grounds).  The customer suit follows on the heels of a consent decree that Aaron's reached with the FTC in which the franchisor essentially admitted that it not only knew about the practice but actively participated in providing the software to its franchisees.  (Given that settlement it may be difficult for Aaron's to deflect responsibility to its franchisees.)

Where does insurance fit into all of this?  First, franchisors (like all businesses) should assess whether they themselves are adequately covered for cyber losses, including whether their traditional insurance policies carry endorsements specifically excluding data-breach liability or first-party losses, and whether they should purchase specific "cyber insurance."  In making this assessment franchisors should take into account all of the potential risks that they face beyond just regulatory or class-action consumer lawsuits; for example, credit-card issuers and banks may file suit seeking to recover their costs for writing off fraudulent charges and issuing new cards.

Second, franchisors should consider the requirements that they impose on franchisees with regard to cyber-security practices.  For example, franchisors might incorporate into their franchise agreements some of the security standards and "best practices" being developed by cyber-security organizations.  Of course this brings into play the tension that has always existed between maintaining enough separation from the franchisee such that liability could be avoided altogether, wanting to protect the brand by ensuring that the franchise is run competently, not imposing unreasonable burdens on franchisees, and business interests that may require a certain amount of intermingling of operations.  (For example, one of the key advantages of owning a hotel franchise is the access to the unified reservations and loyalty-reward programs operated by the franchisor.)

Finally, because preventing data breaches or liability claims may be impossible, franchisors should evaluate whether to require their franchisees to carry cyber insurance, and whether those insurance policies can provide protection to the franchisor.  Much as general contractors require subcontractors to carry insurance providing "additional insured" protection if the general is sued because of the subs' negligence, some cyber insurance programs purchased by a franchisee could be made to assist a franchisor in the event of a data breach caused by a franchisee's error.  However, because cyber insurance is not being written on standardized forms, it is not possible to simply specify in a franchise contract that a specific ISO additional insured endorsement be used.  Instead, franchisors would be well served to work out requirements language with their franchisees that takes into account evolving norms in the insurance industry regarding language, sub-limits, and other aspects of cyber insurance.  What will likely be needed in this, as with almost all things in the cyber insurance world, is a team approach involving counsel, insurance broker, and business people.

Oregon Supreme Court Accepts Review of Two Important Insurance Disputes

The Oregon Supreme Court recently accepted for review two cases with potentially lasting implications for insurance coverage disputes in the state.

The first case is a mandamus ruling - the court decided to accept for review a trial court's ruling in Liberty Surplus Insurance v. Seabold Construction on a hot evidence issue important to bad-faith coverage litigation.  In Seabold the company and its liability insurer are locked in a dispute over Liberty's handling of Seabold's defense in a construction-defect matter; Seabold contends that Liberty acted in bad faith in connection with settlement of the dispute.  During the critical time period -- while settlement negotiations were going on in the underlying case -- Liberty was acting through coverage counsel, which is commonplace in such situations.  Once the coverage litigation got underway, however, Seabold demanded to see the communications with and work done by the insurer's "coverage counsel" on the theory that at least part of the time the attorney was acting as a claims adjuster.  Under the reasoning of Cedell v. Farmers, a Washington case (and its progeny, discussed in this blog post from 2013), Seabold argued -- successfully -- that there was no absolute attorney-client privilege when "coverage counsel" is performing some of the business functions of a liability carrier.  The trial court ordered Liberty Mutual to produce counsel's communications (initially directly to Seabold, amended to production for review by the court), and Liberty Mutual sought a writ of mandamus -- essentially, appellate review in the middle of a case -- to block enforcement of the trial court's order.

The issue that the court has identified for resolution is whether attorney-client privilege applies despite counsel's involvement in "investigating and adjusting" the claim.  This is the issue that Cedell and other courts outside of Oregon have decided in favor of policyholders, and one would think that this court would go the same way.  However, in the Crimson Trace discovery dispute (which did not involve insurance) the court proved itself very protective of the attorney-client privilege in an institutional context, so "all bets are off," as they say.

The second case accepted for review (back on March 31) is the 2014 Fountaincourt Homeowners Ass'n v. Fountaincourt Development decision from the Court of Appeals.  In that decision the Court of Appeals confirmed that a claimant who obtains a judgment against an insured after trial may pursue that insured's insurance assets in a garnishment proceeding as a judgment creditor, and that during resolution of the garnishment the insurer has the burden of proving that the judgment was not covered where there is prima facie evidence that at least some of the jury's award was for covered damages.  That decision was very beneficial for claimants concerned about being able to collect on a judgment.

The Supreme Court's statement of the issues on review is rather breathtaking, and will ensure that the case is closely watched.  Rather than try to summarize, set out below are the issues on review from the court's statement:

(1) If a general verdict is returned against an insured entity in a mixed coverage case (i.e., one involving some damage that is payable by an insurer and some damage that is not), and the insurer defended under a reservation of rights, can the insured establish coverage for the awarded damages based on the general verdict? (2) Does defective work by an insured contractor constitute "property damage" if that term is defined as "[p]hysical injury to tangible property"? (3) Can an insured establish a prima facie case for insurance coverage with evidence showing only the possibility that a judgment is for damages within the insuring agreement of a liability policy? (4) If a liability insurer's policy is garnished by a judgment creditor and a disputed question of fact must be resolved to determine if the insurer is obligated to pay the judgment, is the insurer entitled to a jury trial in the garnishment proceeding?

What is surprising here is the Court's indication that it will take up some questions that many had thought were largely settled and were not the most controversial of the Court of Appeals' decisions.  One can hope that the Court's indication that it will review those questions is only intended to settle any doubt.  However because so much is at stake if the Court has decided to revisit those issues, this case promises to attract a lot of attention and amicus participants, and its resolution could shape (or re-shape) Oregon coverage law for a long time.

Likely Changes to Oregon Data Breach Law Should Prompt Review of Cyber Coverage

This excellent post by my colleague Brian Sniffen in our firm's IP Law Trends blog reports on the efforts by Oregon's attorney to strengthen the state's data breach notification laws.   The proposed amendments to the Oregon Consumer Identity Theft Protection Act (ORS 646A.602 et seq.) are part of Senate Bill 601, which is making its way through the legislature right now.  You can follow the bill's progress here).

As Brian reports, among the proposed changes are a lowering of the threshold for notification to the Attorney General to 100 records; expansion of the definition of confidential data to include medical and biometric information; and giving enforcement power to the Attorney General under the Unfair Trade Practices Act.

As we observed last week in our post about the insurance implications of Washington's effort to toughen its data-breach notification laws, these proposed Oregon changes should prompt every business -- whether it handles loads of consumer data or not -- to review its cyber insurance coverage to get a comfort level with any sub-limits relating to notification costs, and liability coverage for regulatory claims.  Of course, both state-level efforts could be upended if the President's proposed data-breach bill becomes federal law, because the federal law will likely trump all state laws.  All the more reason to review your cyber coverage with an insurance professional today.

Update April 22: The Oregon bill has received a "do pass" recommendation, with some amendments, from the Senate Judiciary Committee, and is awaiting transfer to the floor for passage.