By Nicholas B. Reuhs, Ice Miller LLP
Companies seeking to protect themselves with cybersecurity insurance must take particular care when applying for their policies. An ongoing case in a California Federal District Court between Columbia Casualty Corporation and Cottage Health System illustrates the importance of paying attention to the fine print in the policy’s application.
Cottage Health System suffered a data breach implicating more than 32,000 patient medical records from the system’s Southern California medical facilities. As a result of the breach, Cottage Health’s patients filed a class action suit, which Cottage Health subsequently settled for $4.1 million. Although Cottage Health’s cybersecurity insurance provider, Columbia Casualty Corp., initially agreed to fund the settlement, they later filed suit claiming that they need not defend or indemnify Cottage Health. In support of this claim, Columbia cited Cottage Health’s alleged failure to employ minimum cybersecurity practices referenced in Columbia’s cyber policy application and purported misrepresentations in the application regarding risk assessment practices.
Unknowing misstatements in insurance applications are rare in the context of traditional liability and property policies. In those cases, the person procuring the insurance has a proficient understanding of the organization’s relevant risks and practices. This is rarely true in the context of cybersecurity insurance. To that end, the Cottage Health System dispute serves as a stark reminder that organizations should involve their information security personnel throughout the application process.
If you would like to submit content or write an article for the Insurance Coverage Section, please email Kara Sikorski at firstname.lastname@example.org.