In an article featured in DRI’s The Voice newsletter (May 2018), attorney Karen Karabinos and Eric Mull provide information on how misrepresentation on the applications for and the provisions of cyber policies may bar coverage in either first-party or third-party cyber claims.
As businesses realize the importance of obtaining cyber policies, insurance carriers and insureds must be cognizant of the applications for and the provisions of cyber policies that may bar coverage in either first-party or third-party cyber claims. Some of these defenses may be new, based on specialized provisions or coverages contained in the cyber policy. Other possible defenses may be traditional ones that insurers have previously raised in response to property claims.
The case of Columbia Casualty Co. v. Cottage Health System, No. 2:16-cv-3759 (C.D. Ca.), (filed May 31, 2016), highlights both the new and traditional defenses that can affect cyber coverage. Cottage Health System (Cottage) suffered a data breach that resulted in the release of private health-care patient information stored on network servers that Cottage owned and maintained. Columbia Casualty (Columbia) defended Cottage in a lawsuit brought by Cottage’s patients, and after Columbia reached a settlement with the patients, Columbia filed a declaratory judgment action against Cottage, seeking reimbursement of the costs in defending the patients’ lawsuit. In its complaint, Columbia raised several possible defenses that it has claimed warranted reimbursement by Cottage.
Columbia alleged that Cottage made misrepresentations and/or omissions of material fact concerning its data-breach risk controls when Cottage applied for the cyber policy. The application contained a “Risk Control Self Assessment” containing a list of questions, four of which asked Cottage about checking security patches, replacing default settings, and other actions that Cottage takes to reassess Cottage’s exposure to privacy threats. In response to these questions, Columbia alleged that Cottage mispresented that it had such risk controls in place.