navigating a cybersecurity insurance policy · 2016-08-16 · course materials aug. 16, 2016 noon-1...

Course Materials Aug. 16, 2016 Noon-1 p.m. 9469W

Navigating a Cybersecurity Insurance Policy Roberta D. Anderson K&L Gates LLP Pittsburgh Ms. Anderson a member of K&L Gates' global Insurance Coverage practice group and a co-founder of the firm's global Cybersecurity practice group. Ms. Anderson concentrates her practice in insurance coverage litigation and counseling and emerging cybersecurity and data privacy-related issues. She has substantial experience in the drafting and negotiation of cyber/privacy liability, directors' and officers' liability, professional liability, and other insurance placements. : Five Tips for Success in Cyber Insurance Litigation Page 5: 5 Policyholder Takeaways From Portal Page 11: The Devil in the “Cyber” Insurance Details

© 2016 Pennsylvania Bar Institute. All rights reserved.

Five Tips for Success in Cyber Insurance Litigation By Roberta D. Anderson

Many insurance coverage disputes can be, should be, and are settled without the need for litigation and its attendant costs and distractions. However, some disputes cannot be settled, and organizations are compelled to resort to courts or other tribunals in order to obtain the coverage they paid for, or, with increasing frequency, they are pulled into proceedings by insurers seeking to preemptively avoid coverage. As illustrated by CNA’s recently filed coverage action against its insured in Columbia Casualty Company v. Cottage Health System,1 in which CNA2 seeks to avoid coverage for a data breach class action lawsuit and related regulatory investigation,3 cyber insurance coverage litigation is coming. And in the wake of a data breach or other privacy, cybersecurity, or data protection-related incident, organizations regrettably should anticipate that their cyber insurer may deny coverage for a resulting claim against the policy.

Before a claim arises, organizations are encouraged to proactively negotiate and place the best possible coverage in order to decrease the likelihood of a coverage denial and litigation. In contrast to many other types of commercial insurance policies, cyber insurance policies are extremely negotiable and the insurers’ off-the-shelf forms typically can be significantly negotiated and improved for no increase in premium. A well-drafted policy will reduce the likelihood that an insurer will be able to successfully avoid or limit insurance coverage in the event of a claim.

Even where a solid insurance policy is in place, however, and there is a good claim for coverage under the policy language and applicable law, insurers can and do deny coverage. In these and other instances, litigation presents the only method of obtaining or maximizing coverage for a claim.

When facing coverage litigation, organizations are advised to consider the following five strategies for success:

1. Tell a Concise, Compelling Story In complex insurance coverage litigation, there are many moving parts and the issues are typically nuanced and complex. It is critical, however, that these nuanced, complex issues come across to a judge, jury, or arbitrator as relatively simple and straightforward. Getting overly caught up in the weeds of policy interpretive and legal issues, particularly at the outset, risks losing the organization’s critical audience and obfuscating a winningly concise, compelling story that is easy to understand, follow, and sympathize with. Boiled down to its essence, the story may be—and in this context often is—something as simple as:

1 No. 2:15-cv-03432 (C.D. Cal.) (filed May 7, 2015). 2 The named plaintiff is CNA’s non-admitted insurer, Columbia Casualty Company. 3 CNA’s preemptory suit was dismissed without prejudice by order dated July 17, 2015 because CNA

failed to exhaust alternative dispute resolution procedure in its policy.

3 August 2015 Practice Groups: Insurance Coverage Commercial Disputes Cyber Law and Cybersecurity This alert was first published by Law360 on July 30, 2015 and by Advisen’s Cyber Risk Network on July 31, 2015.

Five Tips for Success in Cyber Insurance Litigation

2

“They promised to protect us from a cyber breach if we paid the insurance premium. We paid the premium. They broke their promise.”

2. Place the Story in the Right Context It is critical to place the story in the proper context because, unfortunately, many insurers in this space, whether by negligent deficit or deliberate design, are selling products that do not reflect the reality of e-commerce and its risks. Many off-the-shelf cyber insurance policies, for example, limit the scope of coverage to only the insured’s own acts and omissions, or only to incidents that impact the insured’s network. Others contain broadly worded, open-ended exclusions like the one at issue in the Columbia Casualty case, which insurers may argue, as CNA argues, vaporize the coverage ostensibly provided under the policy. These types of exclusions invite litigation and, if enforced literally, can be acutely problematic and flat-out impracticable in this context. There are myriad other traps in cyber insurance policies—even more in those that are not carefully negotiated—that may allow insurers to avoid coverage if the language were applied literally.

If the context is carefully framed and explained, however, judges, juries, and arbitrators should be inhospitable to the various “gotcha” traps in these policies. Taking the Columbia Casualty case as an example, the insurer, CNA, relies principally upon an exclusion, entitled “Failure to Follow Minimum Required Practices,” which, as quoted by CNA in its complaint, purports to void coverage if the insured fails to “continuously implement” certain aspects of computer security. In this context, however, comprised of the extremely complex areas of cybersecurity and data protection, any insured can reasonably be expected to make mistakes in implementing security and this reality is, in fact, a principal reason for purchasing cyber liability coverage in the first place. Indeed, CNA represents in its marketing materials that the policy at issue in Columbia Casualty offers “exceptional first- and third-party cyber liability coverage to address a broad range of exposures,” including “security breaches” and “mistakes”:

Cyber Liability and CNA NetProtect Products

CNA NetProtect fills the gaps by offering exceptional first- and third-party cyber liability coverage to address a broad range of exposures. CNA NetProtect covers insureds for exposures that include security breaches, mistakes and unauthorized employee acts, virus attacks, hacking, identity theft or private information loss, and infringing or disparaging content. CNA NetProtect coverage is worldwide, claims-made with limits up to $10 million.

It is important to use the discovery phase to fully flesh out the context of the insurance and the entire insurance transaction in addition to the meaning, intent, and interpretation of the policy terms and conditions, claims handling, and other matters of importance depending on the particular circumstances of the coverage action.

3. Secure the Best Potential Venue and Choice of Law One of the first and most critical decisions that an organization contemplating insurance coverage litigation must make is the appropriate forum for the litigation. This decision, which may be affected by whether the policy contains a forum selection clause, can be critical to potential success, among other reasons, because the choice of forum may have a significant


3

impact on the related choice-of-law issue, which in some cases is outcome-determinative. Insurance contracts are interpreted according to state law, and the various state courts diverge widely on issues surrounding insurance coverage. Until the governing law applicable to an insurance contract is established, the policy can be, in a figurative and yet a very real sense, a blank piece of paper. The different interpretations given the same language from one state to the next can mean the difference between a coverage victory and a loss. It is therefore critical to undertake a careful choice of law analysis before initiating coverage litigation, selecting a venue, or, where the insurer files first, taking a choice of law position or deciding whether to challenge the insurer’s selected forum.

4. Consider Bringing in Other Carriers Often when there is a cybersecurity, privacy, or data protection-related issue, more than one insurance policy may be triggered. For example, a data breach like the Target breach may implicate an organization’s cyber insurance, commercial general liability (CGL) insurance, and Directors’ and Officers’ Liability insurance. To the extent that insurers on different lines of coverage have denied coverage, it may be beneficial for the organization to have those insurance carriers pointing the finger at each other throughout the insurance coverage proceedings. Again, considering the context, a judge, arbitrator, or jury may find it offensive if an organization’s CGL insurer is arguing, on the one hand, that a data breach is not covered because of a new exclusion in the CGL policy and the organization’s cyber insurer also is arguing that the breach is not covered under the cyber policy that was purchased to fill the “gap” in coverage created by the CGL policy exclusion. Relatedly, it is important to carefully consider the best strategy for pursing coverage in a manner that will most effectively and efficiently maximize the potentially available coverage across the insured’s entire insurance portfolio and each triggered policy.

5. Retain Counsel with Cyber Insurance Expertise Cyber insurance is unlike any other line of coverage. There is no standardization. Each of the hundreds of products in the marketplace has its own insurer-drafted terms and conditions that vary dramatically from insurer to insurer—and even between policies underwritten by the same insurer. Obtaining coverage litigation counsel with substantial cyber insurance expertise will assist an organization on a number of fronts. Importantly, it will give the organization unique access to compelling arguments based upon the context, history, evolution, and intent of this line of insurance product. Likewise, during the discovery phase, coverage counsel with unique knowledge and experience is positioned to ask for and obtain the particular information and evidence that can make or break the case—and will be able to do so in a relatively efficient, streamlined manner. In addition to creating solid ammunition for trial, effective discovery often leads to successful summary judgment rulings, which, at a minimum, streamline the case in a cost-effective manner and limit the issues that ultimately go to a jury. Likewise, counsel familiar with all of the many different insurer-drafted forms as they have evolved over time will give the organization key access to arguments based upon both obvious and subtle differences between and among the many different policy wordings, including the particular language in the organization’s policy. Often in coverage disputes, the multimillion dollar result comes down to a few words, the sequence of a few words, or even the position of a comma or other punctuation.


4

Following these strategies and refusing to take “no” for an answer will increase the odds of securing valuable coverage.

Authors: Roberta D. Anderson [email protected] +1.412.355.6222

Anchorage Austin Beijing Berlin Boston Brisbane Brussels Charleston Charlotte Chicago Dallas Doha Dubai Fort Worth Frankfurt

Harrisburg Hong Kong Houston London Los Angeles Melbourne Miami Milan Moscow Newark New York Orange County Palo Alto Paris

Perth Pittsburgh Portland Raleigh Research Triangle Park San Francisco São Paulo Seattle Seoul Shanghai Singapore Spokane

Sydney Taipei Tokyo Warsaw Washington, D.C. Wilmington

K&L Gates comprises more than 2,000 lawyers globally who practice in fully integrated offices located on five continents. The firm represents leading multinational corporations, growth and middle-market companies, capital markets participants and entrepreneurs in every major industry group as well as public sector entities, educational institutions, philanthropic organizations and individuals. For more information about K&L Gates or its locations, practices and registrations, visit www.klgates.com.

This publication is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer.

© 2015 K&L Gates LLP. All Rights Reserved.

5 Policyholder Takeaways From Portal Insurance Coverage and Cyber Law and Cyber Security Alert

By Roberta D. Anderson

In a solid victory for policyholders, the Fourth Circuit upheld coverage last week for a potential data breach incident involving confidential medical records. The case is The Travelers Indemnity Co. of America v. Portal Healthcare Solutions, L.L.C.,1 and involved coverage under two commercial general liability (CGL) insurance policies.

Significantly, and in contrast to the Recall Total case that was widely reported and debated last year,2 the Fourth Circuit in Portal Healthcare confirmed that a covered “publication” of records can exist even if the records at issue are not actually accessed by any third party. Rather, the Fourth Circuit confirmed that “publication” is satisfied for purposes of CGL coverage if the records are merely accessible. Likewise, in contrast to the New York trial court’s decision in the Sony PlayStation data breach insurance coverage litigation,3 the Fourth Circuit outright rejected the insurer’s argument that CGL coverage requires “intent” to publish the information, finding unintentional publication sufficient.

Portal Healthcare provides insureds another arrow in the coverage quiver, serving as an important reminder that actual and potential data breaches may be covered under CGL and other traditional policies.

Here we offer a brief summary of the Portal Healthcare facts and holding—and 5 key takeaways.

Portal Facts And Holding The insured in Portal Healthcare, Portal Healthcare Solutions, L.L.C., specializes in the electronic safekeeping of medical records for hospitals, clinics, and other medical providers.4 At issue in Portal Healthcare was whether Portal’s CGL insurer, Travelers, had a duty to defend Portal against class-action allegations that Portal failed to safeguard confidential medical records by posting those records on the internet and making them available to anyone who searched for a patient’s name and clicked on the first result.5

On cross motions for summary judgement in the insurance coverage litigation, the federal district court held that the posting of medical records was an electronic “publication,” and therefore covered under Portal’s CGL policies.6 Significantly, the court rejected Travelers’ argument that there was no covered “publication” because no third party was alleged to have viewed the information.7 Rather, applying established rules of insurance policy construction, the district court found that the undefined term “publication” required only that the records be “placed before the public”8 and it therefore was not relevant whether or not the records were accessed by a third party. Drawing analogy to a book placed on a Barnes & Noble shelf, the court noted that Travelers’ argument was contrary to the plain meaning of “publication”:

By Travelers’ logic, a book that is bound and placed on the shelves of Barnes & Noble is not “published” until a customer takes the book off the shelf and reads it. Travelers’ understanding of the term “publication” does not comport with the term’s

May 2, 2016

Practice Groups: Insurance Coverage Cyber Law and Cyber Security This article was first published by Advisen on May 2, 2016

5 Policyholder Takeaways From Portal

2

plain meaning, and the medical records were published the moment they became accessible to the public via an online search.9

In reaching its decision, the district court distinguished the authorities relied upon by Travelers, including Recall Total,10 finding that Recall Total was inapposite because, in contrast to Recall Total, the information in Portal Healthcare “was posted on the internet and thus, was given not just to a single thief but to anyone with a computer and internet access.”11

In addition, and also significantly, the district court rejected Travelers’ proposition that “publication” requires an intent to publish by the insured, finding that “an unintentional publication is still a publication.”12 The court further explained that “the issue cannot be whether [the insured] intentionally exposed the records to public viewing since the definition of ‘publication’ does not hinge on the would-be publisher’s intent. Rather, it hinges on whether the information was placed before the public.”13

The district court concluded that “the facts and circumstances alleged in the class-action complaint at least ‘potentially or arguably’ constitute a ‘publication’….”14

The Fourth Circuit affirmed, commending the district court’s “sound legal analysis” and confirming that “Travelers has a duty to defend Portal against the class-action complaint.”15

The Takeaways

Portal Healthcare offers five key takeaways: 1. Remember “traditional” policies. Portal Healthcare illustrates that there may be

valuable data breach coverage under CGL and other traditional insurance policies—even in the absence of an actual breach of information.16 This is important for organizations to remember because, while a growing number of organizations purchase specialty “cyber” and technology errors and omissions (E&O) policies, which are specifically designed to afford coverage for data breaches and other cybersecurity and data privacy-related risks, most organizations also have various forms of traditional insurance policies that may cover various types of cyber and privacy risks, including CGL, D&O, professional liability, property, and commercial crime policies, among others. In many circumstances there may be overlapping coverage under a number of the organization’s specialty and traditional insurance coverage.

2. Identify potential coverage—and potential coverage gaps—before a breach incident. Organizations are advised to carefully consider potential coverage across their entire insurance portfolio in advance of a potential breach event and undertake a “gap” analysis. While there may be valuable coverage under an organization’s CGL and other “traditional” insurance policies, insurers have made it abundantly clear that they do not want to cover “cyber” and various privacy-related exposures, including data breach, under traditional policies. For this reason, insureds should be aware that they may face costly insurance litigation to secure coverage—even where there is a good argument in favor of coverage. Likewise, in response to decisions upholding coverage for data breaches and other privacy-related exposures, the insurance industry has added various limitations and exclusions in recent years, which seek to cut off the “traditional” lines of coverage. Most recently, ISO filed a number of data breach exclusionary endorsements for use with its standard-form primary, excess and umbrella CGL policies. These became effective in


3

May 2014.17 Although the full reach of the new exclusions ultimately will be determined by judicial review, from an enterprise risk management perspective, the newer exclusions provide another reason for companies to carefully consider specialty “cyber” insurance products.18

3. Carefully Consider—and negotiate—appropriate specialized coverage. “Cyber” and technology E&O insurance coverage can be extremely valuable,19 but choosing the right insurance product presents real and significant challenges. There is a diverse and growing array of cyber products in the marketplace, each with its own insurer-drafted terms and conditions that vary dramatically from insurer to insurer—and even between policies underwritten by the same insurer. In addition, the specific needs of different industry sectors, and different companies within those sectors, are far-reaching and diverse. Although placing coverage in this dynamic space presents challenges, it also presents substantial opportunities. “Cyber” and technology E&O insurance policies are negotiable, and the terms of the insurer’s off-the-shelf policy forms can often be significantly enhanced and customized to respond to the insured’s particular circumstances. Frequently, very significant enhancements can be achieved for no increase in premium. It is important to identify the right cyber insurance product and then negotiate the coverage terms so that they reflect the reality of risk and the organization’s potential particular risk profile and exposure.

4. Don’t take “no” for an answer. Unfortunately, even where there is a legitimate claim for coverage, an insurer may deny an insured’s claim. Indeed, insurers can be expected to argue, as Portal’s insurers argued, that data breaches are not covered under CGL insurance policies. In addition, disputes are now arising under newer specialty “cyber” and technology E&O policies.20 Nevertheless, insureds that refuse to take “no” for an answer may be able to secure valuable coverage if they effectively pursue their claim.21

5. Maximize coverage across the entire insurance portfolio. Various types of insurance policies may be triggered by a data breach incident, and those various triggered policies may carry different insurance limits, deductibles, retentions, and other self-insurance features, together with various different and potentially conflicting provisions addressing, for example, other insurance, erosion of self-insurance, and stacking of limits. For this reason, in addition to considering the scope of substantive coverage under an organization’s various insurance policies, it is important for the organization to carefully consider the best strategy for pursing coverage in a manner that will most effectively and efficiently maximize the potentially available coverage across the insured’s entire insurance portfolio. By way of example, if there is potentially overlapping CGL and “cyber” insurance coverage, an organization should keep in mind considerations such as the fact that defense costs often do not erode CGL policy limits. Armed with the appropriate facts, the organization can structure the coverage strategy accordingly.

* * * * *

Portal Healthcare serves as an important reminder that, when facing a data breach event, and before an event occurs, organizations should carefully consider the insurance coverage that may be available to respond to a breach event and the most efficient ways to maximize coverage.


4

Author: Roberta D. Anderson [email protected] +1.412.355.6222








1 --- Fed.Appx. ----, 2016 WL 1399517 (4th Cir. Apr. 11, 2016). 2 Recall Total Info. Mgmt., Inc. v. Federal Ins. Co., 115 A.3d 458 (Conn. 2015). 3 The trial court in Zurich Am. Ins. Co. v. Sony Corp. of Am., et al., No 651982/2011 (Sup. Ct. N.Y.

County) ruled from the bench without a written opinion. The Transcript is cited below at footnote 13. 4 35 F.Supp.3d 765, 767 (2014) (Virginia law). 5 Id. at 768. Two patients in Portal Healthcare discovered that when they conducted a “Google” search of

their respective names, the first link that appeared was a direct link to their respective medical records. See id.

6 Id. at 771. The two policies at issue in Portal Healthcare covered, respectively, (1) the “electronic publication of material that ... gives unreasonable publicity to a person’s private life”; and (2) the “electronic publication of material that ... discloses information about a person’s private life”. Id. at 767.

7 The patients accessed their own records and only alleged that the information was available for view by a third party. See id. at 770-71.

8 Id. at 770. 9 Id. at 771. 10 Affirming the trial and intermediate appellate courts, the Connecticut Supreme Court in Recall Total

ultimately determined that the “publication” requirement was not satisfied because, as found by the intermediate appellate court, the plaintiffs “failed to provide a factual basis that the information on the tapes was ever accessed by anyone.” Recall Total Info. Mgmt., Inc. v. Fed. Ins. Co., 83 A.3d 664, 673 (Conn. Super. Ct. 2014), aff’d 115 A.3d 458, 460 (Conn. 2015) (“Our examination of the record and briefs and our consideration of the arguments of the parties persuade us that the judgment of the Appellate Court should be affirmed.”). Significantly, however, the intermediate appellate court in Recall Total noted that there was nothing in the record in that case to suggest that “the unknown party even recognized that the tapes contained personal information.” Recall Total, 83 A.3d at 673 n.9. In contrast

http://www.klgates.com/


5

to the very unique facts of Recall Total, there should be no question that a “publication” exists to trigger CGL coverage in a typical data breach circumstance. See also Case Highlights Reasons To Consider Data Breach Insurance, Law360 (Jan. 14, 2014), http://www.law360.com/articles/501168/case-highlights-reasons-to-consider-data-breach-insurance

11 Portal Healthcare 35 F.Supp.3d at 771. 12 Id. at 770. 13 Id. On this point, Portal Healthcare reaches the a conclusion contrary to the conclusion reached by the

New York trial court in the Sony PlayStation coverage litigation, in which the trial court agreed with Sony’s insurers that “coverage is limited to protect against the purposeful and intentional acts committed by the insured or its agents [like third-party hackers], not by non-insureds or third-parties.” Zurich Am. Ins. Co.’s Mem. of Opp. to Sony Computer Entertainment Am. LLC’s Motion for Partial Summary Judgment and in Support of Cross-Motion for Summary Judgment, at p. 16 (Aug. 30, 2013). The trial court in Sony accepted the insurer’s argument that the policy coverage is limited to intentional acts. See Transcript of Proceedings, filed Mar. 3, 2014, at p. 77 (“The question now becomes, was that a publication that was perpetrated by Sony or was that done by the hackers. There is no way I can find that Sony did that.”). See also 5 Reasons The Sony Data Breach Coverage Denial Is Wrong, Law360 (Feb. 28, 2014), http://www.law360.com/articles/514248/5-reasons-the-sony-data-breach-coverage-denial-is-wrong?article_related_content=1 Notably, however, the trial court in Sony found that the “publication” requirement was otherwise satisfied—even though, as in Portal Healthcare, there was no evidence that the compromised data at issue in the Sony breach was actually published. See Transcript of Proceedings, filed Mar. 3, 2014, at pp. 42, 77 (“I look at it as a Pandora’s box. Once it is opened it doesn’t matter who does what with it. It is out there. It is out there in the world, that information….We are talking about the internet now. We are talking about the electronic age that we live in. So that in itself, by just merely opening up that safeguard or that safe box where all of the information was, in my mind my finding is that that is publication. It’s done.”).

14 Portal Healthcare, 35 F.Supp.3d at 771. Separately addressing the “unreasonable publicity” and “discloses” requirements, the district court held that “the facts and circumstances alleged in the class-action complaint gave ‘unreasonable publicity’ to, and ‘disclose[d]’ information about, patients’ private lives ….” Id. at 772. By way of background, insurers typically assert in privacy-related cases that the publication at issue did not violate a “person’s right of privacy” as contemplated by the insurance contract. Courts generally have construed the “right to privacy” requirement broadly and have found the requirement satisfied in a broad spectrum of settings.

15 2016 WL 1399517, at *2, *3. 16 The current CGL standard-form policy covers the “offense” of “[o]ral or written publication, in any

manner, of material that violates a person’s right of privacy.” ISO Form CG 00 01 04 13 (2012), Section I, Coverage B, §14.e. Considering this verbiage and similar iterations of the standard form language, numerous decisions have found coverage for a wide variety of claims alleging breach of privacy laws and regulations, including data breach.

17 By way of example, one of the endorsements, entitled “Exclusion - Access Or Disclosure Of Confidential Or Personal Information”, adds the following exclusion to Coverage B:

This insurance does not apply to:

Access Or Disclosure Of Confidential Or Personal Information

“Personal and advertising injury” arising out of any access to or disclosure of any person’s or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of non public information.

This exclusion applies even if damages are claimed for notification costs, credit monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of any access to or disclosure of any person's or organization's confidential or personal information.

http://www.law360.com/articles/514248/5-reasons-the-sony-data-breach-coverage-denial-is-wrong?article_related_content=1

http://www.law360.com/articles/514248/5-reasons-the-sony-data-breach-coverage-denial-is-wrong?article_related_content=1


6

CG 21 08 05 14 (2013).

18 See also ISO’s Newly-Filed Data Breach Exclusions Provide Yet Another Reason To Consider “Cyber” Insurance, Law360 (Sept. 23, 2013), http://www.law360.com/articles/473886/yet-another-reason-to-consider-cyber-insurance

19 Virtually all “cyber” policies provide defense and indemnity coverage for claims arising out of data breaches and other privacy-related incidents. Importantly, “cyber” policies also typically provide coverage for the costs and expenses associated with “crisis” or “event” management in the wake of a data breach incident, including, for example, breach notification, credit monitoring and counseling services, public relations efforts, and forensics to determine cause and scope of a breach. In addition to privacy-related coverage, most “cyber” policies offer coverage for, among other things, liability and exposure arising out of the transmission of malicious code, denial of third-party access to the insured’s network (DDoS attacks), media liability (for claims for alleging, for example, infringement of copyright and other intellectual property rights), first-party coverage (for loss of the insured’s own data, for example), network/supply chain interruption (covering business interruption and extra expense caused by network incidents), and cyber extortion.

20 5 Tips For Success In Cyberinsurance Litigation, Law360 (July 30, 2015), http://www.law360.com/articles/681028/5-tips-for-success-in-cyberinsurance-litigation-

21 See, e.g., Travelers Prop. Cas. Co. of Am., et al. v. Federal Recovery Servs., Inc., et al., 103 F.Supp.3d 1297 (D. Utah 2015); Columbia Cas. Co. v. Cottage Health Sys., No., 2:15-cv-03432 (C.D. Cal.) (filed May 7, 2015). See also Takeaways From the First Cyberinsurance Lawsuit, The Legal Intelligencer (Aug. 25, 2015), http://www.thelegalintelligencer.com/id=1202735176117/Takeaways-From-the-First-Cyberinsurance-Lawsuit?slreturn=20160320151418; The Devil in the “Cyber” Insurance Details, K&L Gates Commercial Disputes Alert, (June 11, 2015), http://www.klgates.com/the-devil-in-the-cyber-insurance-details-06-11-2015/; Jeff Sistrunk, The State Of Cyber Coverage Law: 4 Key Decisions, Law360 (July 30, 2015), http://www.law360.com/privacy/articles/786246?nl_pk=882d66af-f96c-4c85-a7fa-ea6a190f0939&utm_source=newsletter&utm_medium=email&utm_campaign=privacy

http://www.law360.com/articles/473886/yet-another-reason-to-consider-cyber-insurance

http://www.law360.com/articles/473886/yet-another-reason-to-consider-cyber-insurance

http://www.klgates.com/the-devil-in-the-cyber-insurance-details-06-11-2015/

http://www.klgates.com/the-devil-in-the-cyber-insurance-details-06-11-2015/

http://www.law360.com/privacy/articles/786246?nl_pk=882d66af-f96c-4c85-a7fa-ea6a190f0939&utm_source=newsletter&utm_medium=email&utm_campaign=privacy

http://www.law360.com/privacy/articles/786246?nl_pk=882d66af-f96c-4c85-a7fa-ea6a190f0939&utm_source=newsletter&utm_medium=email&utm_campaign=privacy

The Devil in the “Cyber” Insurance Details By Roberta D. Anderson

There’s a tempest amidst the recent spring shower of “cyber” insurance cases. It isn’t the Recall Total case reported the week before last,1 or the Travelers v. Federal Recovery Services case reported the week before.2 While those two cases have garnered a great deal of media and other attention from those seeking, and seeking to provide, guidance surrounding insurance coverage for cybersecurity and data privacy-related liability, those cases are, by and large, relatively insignificant.

The tempest case is Columbia Casualty Company v. Cottage Health System.3 In Columbia Casualty, CNA’s non-admitted insurer, Columbia Casualty (CNA), seeks to avoid coverage under a “cyber” insurance policy for the defense and settlement of a data breach class action lawsuit. This is one of the first cyber/data privacy disputes under a “cyber” insurance policy that has resulted in litigation.

Columbia Casualty warrants close attention by any organization that currently purchases, or is considering purchasing, “cyber” insurance, as well as by those insurance intermediaries, outside coverage counsel, and other parties who seek to capably assist organizations in this complex area. Irrespective of the ultimate merits of CNA’s coverage positions, Columbia Casualty illustrates that the devil truly is in the details when placing “cyber” insurance coverage. While this type of coverage can be extremely valuable, and is likely to soon become a nondiscretionary purchase for many, if not most, organizations, it is particularly challenging to place successfully.

Below is a factual summary of the Columbia Casualty case, a summary of the coverage issues, and some takeaway thoughts for avoiding the two important potential coverage issues highlighted by the case: (1) broad exclusions relating to cybersecurity/data protection practices, and (2) the misrepresentation defense.

The Facts

Underlying Data Breach Litigation And Regulatory Investigation Columbia Casualty arises out of a data breach incident that resulted in the release of private electronic healthcare patient information stored on network servers owned, maintained, or used by the insured, Cottage Health System (Cottage).4

In the wake of the breach, Cottage faced a putative class action lawsuit alleging that “the confidential medical records of approximately 32,500 patients at the hospitals affiliated with 1 Recall Total Info. Mgmt., Inc. v. Federal Ins. Co., --- A.3d ----, 2015 WL 2371957 (Conn. May 26, 2015). 2 Travelers Prop. Cas. Co. of Am., et al. v. Federal Recovery Servs., Inc., et al., No. 2:14-CV-170 TS (D. Utah May 11,

2015)). 3 No. 2:15-cv-03432 (C.D. Cal.) (filed May 7, 2015). 4 See CNA Complaint For Declaratory Judgment And Reimbursement, ¶¶2-3. Cottage operates a network of hospitals

located in Southern California. See id.

11 June 2015 Practice Groups: Insuranc Coverage Cyber Law and Cybersecurity This alert was first published by Advisen on May 28, 2015

The Devil in the “Cyber” Insurance Details

2

[Cottage] were negligently disclosed and released to the public on the internet.”5 The lawsuit sought damages for alleged violation of California’s Confidentiality of Medical Information Act.6

The lawsuit settled in April 2015 for $4.125 million.7 Cottage’s “cyber” insurer, CNA, funded the settlement pursuant to a reservation of rights.8

Following the settlement of the data breach lawsuit, CNA filed its coverage litigation, in which CNA seeks declarations of non-coverage. In particular, CNA seeks declarations both that it: (1) “is not obligated to provide Cottage with a defense or indemnification in connection with any and all claims stemming from the data breach,”9 and (2) is entitled “to reimbursement in full from Cottage for any and all attorney’s fees or related costs or expenses … in connection with the defense and settlement of the class action lawsuit and any related proceedings.”10

The “Cyber” Insurance Policy CNA issued to Cottage its NetProtect360 cyber insurance policy with limits of $10 million.11 The policy provides coverage for, among other things, “Privacy Injury Claims.”12 Based on CNA’s complaint, there is no dispute as to whether the data breach lawsuit triggers the policy coverage. Those familiar with the off-the-shelf NetProtect360 policy form likely would agree that it does. And CNA does not allege otherwise.

The Coverage Issues CNA denies coverage for the defense and settlement of the data breach lawsuit on two principal bases, which are discussed in turn.

Exclusion For “Failure to Follow Minimum Required Practices” CNA relies upon an exclusion in the NetProtect360 policy, entitled “Failure to Follow Minimum Required Practices,” which states as follows:

Whether in connection with any First Party Coverage or any Liability Coverage, the Insurer shall not be liable to pay any Loss:

* * * 5 Kenneth Rice, et al. v. INSYNC, Cottage Health Sys., et al., Case No. 30-2014-00701147-CU-NP-CJC (Ca. Super. Ct.

Jan. 27, 2014), ¶1. 6 Id. ¶¶68, 80.

According to CNA’s complaint, Cottage also faces an ongoing investigation by the California Department of Justice regarding potential HIPAA violations. See Complaint For Declaratory Judgment And Reimbursement, ¶¶6, 22. In its declaratory judgment action, CNA also disclaims coverage for this proceeding. See CNA Complaint For Declaratory Judgment And Reimbursement, ¶¶46-49.

7 See Order Granting Final Approval of Proposed Class Action Settlement and Judgment (Apr. 15, 2015), Findings in Support of Final Settlement Approval ¶2.B.; see also Class Action Settlement And Release Agreement, § 3.1.

8 See CNA Complaint For Declaratory Judgment And Reimbursement, ¶5. 9 Id. ¶8. 10 Id. ¶9. 11 Id. ¶22-23. 12 Id. ¶25.


3

O. Failure to Follow Minimum Required Practices

based upon, directly or indirectly arising out of, or in any way involving:

1. Any failure of an Insured to continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance and all related information submitted to the Insurer in conjunction with such application whether orally or in writing;…13

Citing to this exclusion, CNA alleges that coverage is precluded because its insured purported to do certain things relating to various aspects of network and computer security. In particular, CNA alleges that its insured failed to “continuously implement the procedures and risk controls identified in its application,” to “regularly check and maintain security patches on its systems,” and to “enhance risk controls,” among a host of “other things”:

41. Upon information and belief, the data breach at issue in the Underlying Action and the DOJ Proceeding was caused as a result of File Transfer Protocol14 settings on Cottage’s internet servers that permitted anonymous user access, thereby allowing electronic personal health information to become available to the public via Google’s internet search engine.

42. Upon information and belief, the data breach at issue in the Underlying Action and the DOJ Proceeding was caused by Cottage’s failure to continuously implement the procedures and risk controls identified in its application, including, but not limited to, its failure to replace factory default settings its failure to ensure that its information security systems were securely configured, among other things.

43. Upon information and belief, the data breach at issue in the Underlying Action and the DOJ Proceeding was caused by Cottage’s failure to regularly check and maintain security patches on its systems, its failure to regularly re-assess its information security exposure and enhance risk controls, its failure to have a system in place to detect unauthorized access or attempts to access sensitive information stored

13 Id. ¶26. A separate policy “condition” states as follows:

Q. Minimum Required Practices

The Insured warrants, as a condition precedent to coverage under this Policy, that is shall:

1. follow the Minimum Required Practices that are listed in the Minimum Required Practices endorsement as a condition of coverage under this policy, and

2. maintain all risk controls identified in the Insured’s Application and any supplemental information provided by the Insured in conjunction with Insured’s Application for this Policy.

Id. ¶27. 14 This is used to transfer files between computers on a network.


4

on its servers and its failure to control and track all changes to its network to ensure it remains secure, among other things.

44. Accordingly, Columbia is entitled to a declaration that it is not obligated to defend or indemnify Cottage in connection with the Underlying Action or the DOJ Proceeding and that coverage for the claims and potential damages at issue in the Underlying Action and the DOJ Proceeding is precluded pursuant to the Columbia Policy’s Failure to Follow Minimum Required Practices” exclusion.15

CNA does not allege that its insured willfully, that it acted recklessly, or even that it was grossly negligent.

The Misrepresentation Defense In support of its misrepresentation defense, CNA relies principally upon the policy “Application” condition in the policy, which states, among other things, that the insurance policy “shall be null and void if the Application contains any misrepresentation or omission … which materially affects either the acceptance of the risk”:

I. Application

1. The Insureds represent and acknowledge that the statements contained on the Declarations and in the Application, and any materials submitted or required to be submitted therewith (all of which shall be maintained on file by the Insurer and be deemed attached to and incorporated into this Policy as if physically attached), are the Insured’s representations, are true and: (i) are the basis of this Policy and are to be considered as incorporated into and constituting a part of this Policy; and (ii) shall be deemed material to the acceptance of this risk or the hazard assumed by the Insurer under this Policy. This Policy is issued in reliance upon the truth of such representations.

2. This Policy shall be null and void if the Application contains any misrepresentation or omission:

a. made with the intent to deceive, or

b. which materially affects either the acceptance of the risk or the hazard assumed by the Insurer under the Policy.16

15 Id. ¶¶41-44 (footnote reference and emphasis added). 16 Id. ¶27. CNA also cites to a “Warranty” provision in the insurance application, stating as follows:

Applicant hereby declares after inquiry, that the information contained herein and in any supplemental applications or forms required hereby, are true, accurate and complete, and that no material facts have been suppressed or misstated. Applicant acknowledges a continuing obligation to report to the CNA Company to whom this Application is made (“the Company”) as soon as practicable any material changes…all such information, after signing the application and prior to issuance of this policy, and acknowledges that the Company shall have the right to withdraw or modify any outstanding quotations and/or authorization or agreement to bind the insurance based upon such changes.


5

Citing to this condition, CNA alleges that it is entitled to a declaration of non-coverage because its insured’s “application for coverage … contained misrepresentations and/or omissions of material fact” relating to its purported “failure to maintain the risk controls identified in its application”:

51. The Columbia Policy’s “Application” condition provides that the Columbia Policy “shall be null and void if the Application contains any misrepresentation or omission: a. made with the intent to deceive, or b. which materially affects either the acceptance of the risk or the hazard assumed by the Insurer under the Policy.”

52. The Columbia Policy’s “Minimum Required Practices” condition provides that, as a “condition precedent to coverage,” Cottage warrants that it shall “maintain all risk controls identified in the Insured’s Application and any supplemental information provided by the Insured in conjunction with Insured’s Application for this Policy.”

53. Upon information and belief, Cottage’s application for coverage under the Columbia Policy contained misrepresentations and/or omissions of material fact that were made negligently or with intent to deceive concerning Cottage’s data breach risk controls.

54. Upon information and belief, the data breach at issue in the Underlying Action and the DOJ Proceeding was caused by Cottage’s failure to maintain the risk controls identified in its application, including, but not limited to, its failure to replace factory default settings to ensure that its information security systems were securely configured.

55. Accordingly, Columbia is entitled to a declaration that it is not obligated to defend or indemnify Cottage in connection with the Underlying Action or the DOJ Proceeding based on Cottage’s breaches of the Columbia Policy’s “Application” and “Minimum Required Practices” conditions.17

Again, note that CNA seeks to avoid coverage even to the extent its insured’s alleged misrepresentations or omissions “were made negligently.”

Further, Applicant understands and acknowledges that:

* * *

2) If a policy is issued, the Company will have relied upon, as representations, this application, any supplemental applications and any other statements furnished to this Company in conjunction with this application.

3) All supplemental applications, statements and other materials furnished to the Company in conjunction with this application are hereby incorporated by reference into this application and made a part thereof.

4) This application will be the basis of the contract and will be incorporated by referenced into and made a part of such policy.

Id. ¶31. 17 Id. ¶¶51-55 (emphasis added).


6

The Takeaway Tips

1. Beware Of Broadly-Worded Cybersecurity/Data Protection Exclusions The California Court in Columbia Casualty should reject outright CNA’s attempt to avoid coverage based on a ridiculously broadly-worded, open-ended exclusion, which, if enforced literally as interpreted by CNA, would largely, if not entirely, vaporize the coverage that CNA sold under the NetProtect360 policy. For starters, exclusions are to be read narrowly against CNA under established rules of insurance policy construction,18 and broad exclusions that would render coverage illusory are not permitted in California19 or elsewhere.20 Nor is the exclusion, as interpreted by CNA, consistent with an insured’s reasonable expectations concerning the coverage afforded under the NetProtect360 policy,21 which, as represented by CNA in its marketing materials, offers “exceptional first-and third-party cyber liability coverage to address a broad range of exposures,” including “security breaches” and “mistakes”:

Cyber Liability and CNA NetProtect Products

CNA NetProtect fills the gaps by offering exceptional first- and third-party cyber liability coverage to address a broad range of exposures. CNA NetProtect covers insureds for exposures that include security breaches, mistakes and unauthorized employee acts, virus attacks, hacking, identity theft or private information loss, and infringing or disparaging content. CNA NetProtect coverage is worldwide, claims-made with limits up to $10 million.22

To be sure, the fact that any insured reasonably can be expected to make mistakes, i.e., to be negligent, in the complex areas of cybersecurity and data protection is a principal reason for purchasing “cyber” liability coverage.

Putting aside the merits of CNA’s contentions, the type of “Failure to Follow Minimum Required Practices” exclusion found in the off-the-shelf NetProtect360 is regrettably common, and, as the Columbia Casualty illustrates, may be read by insurers to significantly undermine, if not completely vitiate, coverage, requiring insureds to become engaged in coverage litigation as a predicate to obtaining coverage.

18 See, e.g.,. 2 Couch on Insurance § 22:31 (“the rule is that, such terms are strictly construed against the insurer where

they are of uncertain import or reasonably susceptible of a double construction, or negate coverage provided elsewhere in the policy”); see also 17A Couch on Insurance § 254:12 (“The insurer bears the burden of proving the applicability of policy exclusions and limitations or other types of affirmative defenses.”).

19 See, e.g., Armstrong World Indus., Inc. v. Aetna Cas. & Sur. Co., 52 Cal. Rptr. 2d 690, 705 (Cal. Ct. App. 1996) (rejecting the insurers’ approach where “the insurers’ approach would essentially render the asbestos manufacturers’ insurance coverage illusory”).

20 See, e.g., Allan D. Windt, 2 Insurance Claims and Disputes § 6:2 (6th ed. updated Mar. 2015) (“a court will not allow an exclusion to eliminate coverage that is expressly and specifically provided for in the same policy form. More generally stated, a policy will not be interpreted to create illusory coverage. For example, in the context of analyzing the absolute pollution exclusion, discussed in § 11:11, some courts have refused to apply the exclusion as written based upon what was, in effect, the conclusion that the exclusion would cause the coverage to be illusory.”).

21 See, e.g., 2 Couch on Insurance § 22:11 (“the rule is that the objectively reasonable expectations of applicants and intended beneficiaries regarding the terms of insurance contracts will be honored even though a painstaking study of the insurance provisions would have negated those expectations”).

22 https://www.cnapro.com/html/Our_Products/OurProducts_CNANetProtect.html

https://www.cnapro.com/html/Our_Products/OurProducts_CNANetProtect.html


7

The good news is that, although certain types of exclusions are unrealistic given the nature of the risk an insured is attempting to insure against, “cyber” insurance policies are highly negotiable. It is possible to cripple inappropriate exclusions by appropriately curtailing them, or to entirely eliminate them -- and often this does not cost additional premium.

2. Guard Against A Misrepresentation Defense We have seen it in the D&O context for years, and it’s coming to “cyber”: the insurer’s misrepresentation/concealment defense. Provisions like the ones that CNA relies upon in Columbia Casualty are contained in some form in the majority of insurance applications and policies. And, while certainly not unique to “cyber” insurance, these types of provisions can be more troubling in the cyber context because of the subject matter being insured. “Cyber” insurance applications can, and usually do, contain myriad questions concerning an organization’s cybersecurity and data protection practices, seeking detailed information surrounding technical, complex subject matter. These questions are often answered by technical specialists, moreover, that may not appreciate the nuances and idiosyncrasies of insurance coverage law, such as the fact that, depending upon applicable law, there is a risk that an unintentional misrepresentation may suffice to allow an insurer to deny coverage.23 So what can be done? One line of attack is to negotiate significantly better policy terms relating to the application and misrepresentation. Another worthwhile strategy is to have coverage counsel involved in the application process. It often makes sense for coverage counsel to engage outside computer security consultants to assist with the application process. The application process can be valuable, shining a spotlight on current cybersecurity risk management practices that may reveal potential weaknesses that should be addressed. But, clearly, managing the process with an eye toward potential future claims is advisable. The CNA case illustrates the importance of embracing a cohesive, team approach and being mindful of potential future coverage disputes when placing this type of coverage.

Author: Roberta D. Anderson [email protected] +1.412.355.6222

23See, e.g., Rafi v. Rutgers Cas. Ins. Co., 872 N.Y.S.2d 799 (N.Y. App. Div. 2009) (“although misrepresentations made by

an insured must be material, they may be innocently or unintentionally made”).


8








http://www.klgates.com/

navigating a cybersecurity insurance policy · 2016-08-16 · course materials aug. 16, 2016 noon-1...

Documents