The much-publicized case of Columbia Casualty Co. v. Cottage Health System reminds companies of the importance of reading their cyber policy, knowing what’s in it, and adhering to the terms of the policy.
Cottage Health System operates a network of hospitals in Southern California and had a NetProtect360 claims-made policy with Columbia Casualty, a unit of CNA. In the fall of 2013, Cottage Health suffered a data breach involving approximately 32,500 confidential medical records. Columbia is now seeking a declaratory judgment against Cottage, saying that the company is not obliged to defend or indemnify Cottage because the insured did not comply with the terms of their policy. Columbia asserts that Cottage agreed to maintain certain minimum risk controls as a condition of their coverage – which they then failed to maintain. Columbia also alleges that Cottage provided false responses to the “Risk Control Self Assessment” in their application for coverage.
While insurance coverage-related lawsuits are not a new phenomenon, we are sure to see an increasing number of cyber coverage suits as take-up rates increase, breaches occur, and claims are made. It is also a good reminder, as the article states, that companies should:
- Review their cyber insurance policies for scope of coverage
- Conduct a review, both internally and externally, to assure compliance with representations made to the insurer about your practice and procedure
- Monitor your compliance with representations on a regular basis.