Insurance policies covering data breach liability began appearing roughly ten years ago. We noted then a troublesome provision in some forms that seemed to exclude coverage for the insured’s failure to maintain data security – in other words, the very risk the insured was seeking to insure. We’ll call it the “Mistake Exclusion.”  One AIG form from 2006, for example, excluded coverage arising out of “your failure to take reasonable steps to use, design, maintain and upgrade your security.” A 2009 Darwin form excluded coverage for any claim arising out of  “any failure of an Insured to continuously implement the procedures and risk controls identified in the Application for this insurance.” But isn’t liability insurance supposed to do just that – protect against the insured’s mistakes, innocent or negligent? We hoped and expected that as the market for these policies matured, savvy brokers and risk managers would insist that these Mistake Exclusions be removed or substantially narrowed. But that has not happened.

We now have the first case we are aware of by an insurer seeking to enforce a Mistake Exclusion. In Columbia Casualty Company v. Cottage Health Systems, filed May 7, 2015 in the U.S. District Court in Los Angeles, Columbia seeks to enforce an exclusion barring coverage for a data breach claim arising out of any “failure of an Insured to continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance and all related information submitted to the Insurer in conjunction with such application whether orally or in writing.” Columbia’s complaint arises out of a class action suit against Cottage alleging that, for a period of two months in 2013, 32,500 patient records were accessible via the Internet. Cottage had hired a third-party vendor to store Cottage’s records electronically and that vendor mistakenly set the File Transfer Protocol settings to allow public access. Columbia funded Cottage’s defense and settlement, but is suing to recover all of its payments from Cottage.

Continue Reading New Case Highlights Deep Hole in Cyber Insurance Policies

Earlier this month, I gave a presentation with Irfan Saif, principal of Deloitte & Touche, on cyber insurance at the Institute for Advance Corporate Counsel (iACC) in Burlingame, CA.  We discussed how companies can analyze their data-related risks and develop strategies to mitigate those risks, including through the purchase of insurance.  Because cyber insurance is still a developing market, insurance policy forms are far from standardized and often can be negotiated.  As a result, it is important to carefully analyze your company’s data security risks and the proposed policy forms when considering the purchase of cyber insurance.  This is particularly critical when the company’s risks are related its data held by third-parties or computer systems that rely on third-party systems, as the scope of coverage for these risks varies widely among the policy forms currently available.

Continue Reading Panel Discussions on Mitigating Cyber Risk

It’s official—cybersecurity is now a top-ranked risk at the board level, according to the “Lloyds Risk Index 2013.” This should make digital risk a focus of senior corporate management.

Those managing corporate risk should leverage the emerging cyber insurance market, which is rapidly growing and evolving. But they should do so methodically, after