Takeaways From the First Cyberinsurance Lawsuit

1. Takeaways From the First Cyberinsurance Lawsuit
2.  
3. Roberta Anderson, The Legal Intelligencer
4. August 25, 2015
5.  
6. Cyberinsurance litigation is coming. This reality is underscored by CNA's recently filed lawsuit against its insured, Cottage Health Systems, styled Columbia Casualty v. Cottage Health System, No. 2:15-cv-03432 (C.D. Cal., filed May 7, 2015). Through its preemptive lawsuit, which is one of the first cyber/data privacy disputes under a cyberinsurance policy that has resulted in litigation, CNA seeks to avoid coverage for the defense and settlement of a data breach class action lawsuit against its insured and a related regulatory proceeding. Columbia Casualty warrants close attention by any organization that currently purchases, or is considering purchasing, cyberinsurance, as well as by those insurance intermediaries, outside coverage counsel, and other parties that seek to capably assist organizations in this complex area. Below I discuss the disputes at issue in the Columbia Casualty case and provide five key takeaway tips for prevailing in cyberinsurance coverage litigation.
7.  
8. The Disputes at Issue
9.  
10. Columbia Casualty arises out of a data breach incident that resulted in the release of private electronic health care patient information stored on network servers owned, maintained or used by the insured, Cottage Health System. In the wake of the breach, Cottage faced a putative class action lawsuit alleging that "the confidential medical records of approximately 32,500 patients at the hospitals affiliated with [Cottage] were negligently disclosed and released to the public on the internet," in Rice v. Insync, Case No. 30-2014-00701147-CU-NP-CJC (Ca. Super. Ct. Jan. 27, 2014).
11.  
12. The lawsuit settled in April for $4.13 million. Cottage's insurer, CNA, funded the settlement pursuant to a reservation of rights and then filed preemptive coverage litigation seeking a declaration of noncoverage under the NetProtect360 insurance policy at issue, and reimbursement of the settlement payment.
13.  
14. CNA denies coverage for the defense and settlement of the data breach lawsuit on two principal bases: (1) an exclusion in the policy, titled "Failure to Follow Minimum Required Practices," which CNA alleges voids coverage because Cottage failed to "continuously implement the procedures and risk controls identified in [the insurance] application," to "regularly check and maintain security patches on its systems," and to "enhance risk controls," among unspecified "other things"; and (2) a separate condition in the policy, titled "Application," which CNA alleges was violated, therefore voiding coverage, because Cottage's "application for coverage ... contained misrepresentations and/or omissions of material fact" relating to its purported "failure to maintain the risk controls identified in its application."
15.  
16. Notably, CNA does not allege that its insured acted willfully, that it acted recklessly, or even that it was grossly negligent. CNA's peremptory suit was dismissed without prejudice by order dated July 17, because CNA failed to exhaust alternative dispute resolution procedure in its policy, and is heading to mediation.
17.  
18. Tips For Prevailing
19.  
20. • The best defense is a good offense.
21.  
22. Irrespective of the merits of CNA's coverage positions, Columbia Casualty illustrates that the devil is in the details when placing cyberinsurance coverage. Often in coverage disputes, the multimillion-dollar result comes down to a few words, the sequence of a few words, or even the position of a comma or other punctuation. Therefore, before a claim arises, organizations are encouraged to proactively negotiate and place the best possible coverage in order to decrease the likelihood of a coverage denial.
23.  
24. In contrast to many types of commercial insurance policies, cybersecurity policies are often negotiable, and the insurer's off-the-shelf forms can usually be significantly negotiated and improved for no increase in premium. A well-drafted policy will reduce the likelihood that an insurer will be able to successfully avoid or limit insurance coverage in the event of a claim.
25.  
26. • Tell a concise and compelling story.
27.  
28. When facing coverage litigation, it is critical that nuanced, complex issues come across to a judge, jury or arbitrator as simple and straightforward. Getting overly caught up in the weeds of policy interpretations and legal issues, particularly at the outset, risks losing the organization's critical audience and obfuscating a winningly concise, compelling story that is easy to understand, follow and sympathize with. Boiled down to its essence, the story may be—and in this context often is—something as simple as:
29.  
30. "They promised to protect us from a cyberbreach if we paid the insurance premium. We paid the premium. They broke their promise."
31.  
32. • Place the story in the right context.
33.  
34. It is critical to place the story in the proper context because, unfortunately, many insurers in the cyberinsurance space, whether by negligent deficit or deliberate design, are selling products that do not reflect the reality of e-commerce and its risks. Many off-the-shelf cybersecurity insurance policies, for example, limit the scope of coverage to only the insured's own acts and omissions, or only to incidents that impact the insured's network. Others contain broadly worded, open-ended exclusions like the one at issue in the Columbia Casualty case, which, if enforced literally, would largely if not entirely vaporize the coverage ostensibly provided under the policy. These types of exclusions can be acutely problematic and flat-out impracticable. There are myriad other traps in cyberinsurance policies—even more in those that are not carefully negotiated—that may allow insurers to avoid coverage if the language were applied literally.
35.  
36. If the context is carefully framed and explained, however, judges, juries and arbitrators should be inhospitable to the various "gotcha" traps in these policies. Taking the Columbia Casualty case as an example, any insured can reasonably be expected to make mistakes in implementing security and this reality is, in fact, a principal reason for purchasing cyberliability coverage in the first place. CNA's attempt to rely on a ridiculously broadly worded, open-ended exclusion relating to negligence in failing to follow various security practices is therefore in conflict with an insured's reasonable expectations concerning the coverage it purchased, which, as represented by CNA in its marketing materials, offers "exceptional first- and third-party cyberliability coverage to address a broad range of exposures," including "security breaches" and "mistakes."
37.  
38. It is important to use the discovery phase to fully flesh out the context of the insurance and the entire insurance transaction in addition to the meaning, intent and interpretation of the policy terms and conditions, claims handling, and other matters depending on the particular circumstances of the coverage action.
39.  
40. • Secure the best potential venue and choice of law.
41.  
42. One of the first and most critical decisions that an organization contemplating insurance coverage litigation must make is the appropriate forum for the litigation. This decision, which may be affected by whether the policy contains a forum-selection clause, can be critical to potential success, among other reasons because the choice of forum may have a significant impact on the related choice-of-law issue, which in some cases is outcome-determinative. Insurance contracts are interpreted according to state law and the various state courts diverge widely on issues surrounding insurance coverage. Until the governing law applicable to an insurance contract is established, the policy can be, in a figurative and yet a very real sense, a blank piece of paper. The different interpretations given the same language from one state to the next can mean the difference between a coverage victory and a loss. It is therefore critical to undertake a careful choice-of-law analysis before initiating coverage litigation or selecting a venue or, where the insurer files first, before taking a choice-of-law position or deciding whether to challenge the insurer's selected forum.
43.  
44. • Don't take no for an answer.
45.  
46. Many insurance coverage disputes can be, should be, and are settled without the need for litigation and its attendant costs and distractions. However, some disputes cannot be settled, and organizations are compelled to resort to courts or other tribunals in order to obtain the coverage they paid for, or, with increasing frequency, they are pulled into proceedings by insurers seeking to preemptively avoid coverage, as illustrated by the Columbia Casualty case. Even where a solid insurance policy is in place, and there is a good claim for coverage under the policy language and applicable law, insurers can and do deny coverage. The good news is that if insureds fight for coverage, and follow sound litigation strategies, they may well prevail. Refusing to take no for an answer will increase the odds of securing valuable coverage. 
47.  
48. Roberta Anderson, a partner in the Pittsburgh office of K&L Gates, is a member of the firm’s global insurance coverage practice group and a co-founder of the firm’s global cyberlaw and cybersecurity practice group.