Columbia Casualty v. Cottage Health System, i.e. when your cyber-insurance is not what it seems


In Columbia Casualty Co. v. Cottage Health System, the insurer Columbia Casualty (“Columbia”), a unit of CNA, sued Cottage Health System (“Cottage”), which operates a network of hospitals located in Southern California, seeking to obtain a declaratory judgment that it was not obliged to defend or indemnify Cottage. Cottage had a NetProtect360 claims-made policy with Columbia (“Policy”). In the Fall of 2013 Cottage Health suffered a data breach involving about 32,500 confidential medical records. A class action had ensued (Kenneth Rice, et al. v. INSYNC, Cottage Health System, et al. – read here the complaint). The class action alleged that “Cottage and/or its third party vendor, INSYNC Computer Solution, Inc. (‘INSYNC’), stored medical records on a system that was fully accessible to the internet but failed to encrypt the records or take other security measures to protect patient information from becoming available to anyone who ‘surfed’ the internet.” A settlement was reached in the class action for $4.125 million and Columbia agreed to fund the settlement but with a full reservation of rights.

The data breach is also the subject of a pending investigation by the California Department of Justice (“CDOJ”) to determine whether Cottage complied with its obligations under HIPAA and other federal and state laws.

The Policy provided “coverage for Privacy Injury Claims and Privacy Regulation Proceedings with limits of $10,000,000 each claim or proceeding and $10,000,000 in the aggregate for all Claims – subject to a $100,000 deductible”. The Policy contained the following provision:

The Insured warrants, as a condition precedent to coverage under this Policy, that it shall: 1. follow the Minimum Required Practices that are listed in the Minimum Required Practices endorsement as a condition of coverage under this policy, and 2. maintain all risk controls identified in the Insured’s Application and any supplemental information provided by the Insured in conjunction with Insured’s Application for this Policy.

The application, which was expressly made part of the Policy, included a “Risk Control Self Assessment”. Columbia claims that Cottage provided false responses to the assessment questionnaire. The Policy contained an “exclusion entitled Failure to Follow Minimum Required Practices that precluded coverage for any loss based upon, directly or indirectly arising out of, or in any way involving [a]ny failure of an Insured to continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance and all related information submitted to the Insurer in conjunction with such application whether orally or in writing.” (internal quotation marks omitted.

Columbia alleges that “the data breach … was caused as a result of File Transfer Protocol settings on Cottage’s internet servers that permitted anonymous user access, thereby allowing electronic personal health information to become available to the public via Google’s internet search engine.” Basically the allegation is that the data breach was ultimately caused “by Cottage’s failure to continuously implement the procedures and risk controls identified in its application” (identification of specific failures to comply follows). For this reason Columbia seeks a declaratory judgment that it is not obligated to defend and indemnify Cottage (first cause of action).

– Do you check for security patches to your systems at least weekly and implement them within 30 days?   Yes

– Do you replace factory default settings to ensure your information security systems are securely configured?   Yes

– Do you re-assess your exposure to information security and privacy threats at least yearly, and enhance your risk controls in response to changes?   Yes

– Do you outsource your information security management to a qualified firm specializing in security or have staff responsible for and trained in information security?   Yes

– Whenever you entrust sensitive information to 3rd parities do you…

(a) contractually require all such 3rd parties to protect this information with safeguards at least as good as your own.   Yes

(b) perform due diligence on each such 3rd party to ensure that their safeguards for protecting sensitive information meet your standards (e.g. conduct security/privacy audits or review findings of independent security/privacy auditors)   Yes

(c) audit all such 3rd parities at least once per year to ensure that they continuously satisfy your standards for safeguarding sensitive information?   Yes

(d) require them to either have sufficient liquid assets or maintain enough insurance to cover their liability arising from a breach of privacy or confidentiality.   Yes

– Do you have a way to detect unauthorized access or attempts to access sensitive information?   Yes

– Do you control and track all changes to your network to ensure it remains secure?   Yes

In its second cause of action Columbia also seeks declaratory relief on other grounds that are also of interest here. Columbia alleges that it is not obligated to indemnify for sanctions and fines that may result from the CDOJ’s investigation:

The term “Damages” in the Policy is defined under the Columbia Policy to mean “civil awards, settlements and judgments… which the Insureds are legally obligated to pay as a result of a covered Claim,” but does not include “criminal, civil, administrative or regulatory relief, fines or penalties.”

Consider that the penalties for HIPAA violations can be high, ranging from $1,000-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year, provided that the violation was not due to willful neglect in which case the minimum amount to $10,000 per violation (see here).

Columbia also sought a declaration that the policy was it is not obligated to indemnify Cottage because of the “Minimum Required Practices” provision that says, as a “condition precedent to coverage”, that insured will maintain “ all risk controls identified in the Insured’s Application”. The allegation is that Cottage has not (third cause of action) and therefore the Policy is ineffective.

Read the complaint in Columbia Casualty Co. v. Cottage Health System here (Pacer subscription required)

The case has not been decided as yet, however, it can still be useful for some thoughts:

(1)            Review your cyber insurance policy for scope of coverage. First of all, carefully check what types of coverage you bargained for, whether your policy is a First-party coverage or a Third-party coverage policy. (See more on coverage issues here). As a general matter there are several types of damages and you do not necessarily have coverage for all (damages from 1 to 6 are potentially- but not necessarily – inside the scope of a first-party coverage while damages from 7 to 9 pertain to – but are not necessarily covered by – a third-party coverage policy): (1) forensic cost, data loss and cost of data replacement; (2) business interruption and related expenses; (3) reputational damages and cost of public relations (i.e., loss of clientele because of the breach, which may or may not be covered by your cyber insurance – here example of coverage. See more here); (4) intellectual property theft and financial theft; (5) cyber extortion; (6) costs of compliance with the data breach law (example: notifications costs, call center, credit checks for affected data subjects); (7) legal fees, expert costs to defend in lawsuit brought as a consequence of the breach; (8) actual or punitive damages to affected data subjects (or settlement therefore); (9) penalties to governmental agencies (state and federal, for example for HIPAA violations). Columbia, for example, is refusing to cover this type of damage.

(2)            Conduct a review, both internally and externally, to assure compliance with representations made to the insurer about your practice and procedure. First, you need to review with your IT department to make sure that you are in compliance with those representations. With regard to third party cloud providers or other vendors, you need to obtain written certification that they are in compliance and that they have their own cybersecurity policy to reimburse you in case of breach.

(3)             Monitor your compliance with representations on a regular basis. You should make sure that you maintain compliance with the representation. Example Cottage did not comply with the duty to install security patches.

For more information: Francesca Giannoni-Crystal