"Caveat emptor" - buyer beware - is the most common warning to those shopping for big-ticket items. That, apparently, applies in spades to buying cyber insurance.
Not that buying it is a bad idea, say insurance experts, who note the obvious – the catastrophic losses of a major breach could break a company financially.
“A carefully tailored policy is worth it, when you’ve taken the time to review the terms,” said Lynda Bennett, chair of the Insurance Recovery Practice at Lowenstein Sandler LLP, adding that it is rapidly becoming mandatory for any company that contracts with others.
[ ALSO ON CSO: 5 things you should know about cyber insurance ]
“We’re seeing an uptick in companies demanding warranties that you carry it,” she said. “It’s going to be a reality for most businesses that contract with others.”
So the advice of Bennett and others is more along the lines of “buy, but be aware,” because the complexity of such policies, complete with fine-print exclusions, can leave an organization without protection it may think it has.
Indeed, “carefully tailored” could mean the difference between millions in coverage and an expensive dispute with an insurer that is refusing to pay.
The most high-profile recent example of that is Columbia Casualty Company v. Cottage Health Systems, a suit filed May 7 in U.S. District Court in California.
Cottage, a California-based healthcare provider, had a so-called NetProtect360 claims-made policy with Columbia, a unit of Chicago-based CNA, when it suffered a data breach of about 32,500 confidential medical records between Oct 8 and Dec. 2 of 2013.
The breach led to a class-action lawsuit brought by patients. A settlement for about $4.12 million received preliminary court approval last December, according to the complaint. There is also an investigation pending by the California Department of Justice about whether Cottage violated provisions of the federal Health Insurance Portability and Accountability Act (HIPAA), which could lead to sanctions or fines.
And that led to the pending complaint from Columbia, which agreed to pay the claim but asserts that Cottage should pay the money back because of its, “failure to follow minimum required (security) practices.”
According to the complaint, “Cottage and/or its third-party vendor, INSYNC Computer Solution, Inc., stored medical records on a system that was fully accessible to the Internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who ‘surfed’ the Internet.”
Or, as the headline in a recent Naked Security post put it, “We don’t cover stupid, says cyber insurer …”
Indeed, if everything Columbia alleges in the complaint is true, there is clearly an argument that Cottage was at least negligent, if not stupid. According to Columbia, Cottage claimed in its application for the policy that it maintained 10 specific security measures that then amounted to conditions of coverage. It said the breach demonstrated that Cottage had failed to:
- Continuously implement the procedures and risk controls identified in its application;
- Regularly check and maintain security patches on its systems; and
- Enhance risk controls, among a host of “other things.”
Columbia asserts that those alleged failures amount to, “misrepresentations and/or omissions of material fact,” in Cottage’s application, which means, “the Insurer shall not be liable to pay any Loss.”
There is also an argument, however, that one of the major purposes of insurance is to cover damages arising from mistakes – even stupid mistakes.
An auto insurer may raise a customer’s premium for falling asleep at the wheel and smashing into a tree, but it will still cover the damages. A homeowner who gets robbed doesn’t lose coverage because he inadvertently left his door unlocked.
That is the argument Roberta Anderson, a partner at K&L Gates LLP, made in a recent post about the case on Cyber Risk Network. “The fact that any insured reasonably can be expected to make mistakes, i.e., to be negligent, in the complex areas of cybersecurity and data protection is a principal reason for purchasing ‘cyber’ liability coverage,” she wrote.
Anderson noted that CNA’s marketing materials say it offers coverage, “to address a broad range of exposures,” including “security breaches” and “mistakes.” She wrote that the court, “should reject outright CNA’s attempt to avoid coverage based on a ridiculously broadly worded, open-ended exclusion …”
Bennett agreed. “That exclusion should never have found its way into the policy,” she said.
Darren Guccione, CEO of Keeper Security, said most good cyber policies don’t have exclusions like that. “It doesn’t matter if the insured was negligent or if they did everything correct and the bad guys are just really good, today’s policies respond to cyber events,” he said, adding that a colleague who is a cyber insurance broker told him recently that Columbia has removed the exclusion at issue with Cottage from its current version of NetProtect360.
“None of the leading insurance carriers have similar language in their current policies, although some might still try to slip it in,” he said.
Whatever the merits of either side in the Columbia v. Cottage case, the dispute over the language demonstrates that, as Anderson put it, “the devil truly is in the details when placing ‘cyber’ insurance coverage.”