Cyber insurers commonly require insureds to complete detailed applications, often including extensive technical disclosure and risk self-assessments. The complaint recently filed by the insurer in Columbia Casualty Co. v. Cottage Health System illustrates the pitfalls in these requirements.

Cottage Health, an operator of a hospital network, suffered a data breach in 2013 resulting in thousands of its patients’ private medical information being publicly disclosed. In addition to other losses, Cottage Health paid $4.125 million to settle a putative class action in 2014 and faces additional proceedings arising from the breach. Columbia’s lawsuit denies all coverage for the breach and seeks to rescind its policy due to the insured’s alleged failure to comply with the cybersecurity practices described in its application.

In its complaint Columbia contends, first, that the “Failure to Follow Minimum Required Practices” exclusion in its cyber policy—applying to losses from, among other things, the Insured’s failure “to continuously implement the procedures and risk controls identified in the Insured’s application”—precludes coverage for Cottage Health’s losses.

Columbia further contends that it has a right to void its policy altogether due to alleged misstatements in the “Risk Control Self Assessment” that Cottage Health completed as part of its cyber insurance application. For example, Columbia alleges that Cottage Health misrepresented:

  • “that it replaced factory default settings to ensure that its information security systems were securely configured”;
  • “that it regularly checked and maintained security patches on its systems”; and
  • “the degree of due diligence Cottage exercised with respect to [its information security management vendor’s] safeguards.”

Relying on its broadly worded “Application” condition and “Minimum Required Practices” warranty, Columbia asserts that even if Cottage Health did not intend to deceive, a negligent misrepresentation or omission of material fact is enough under these clauses for Columbia to deem its cyber policy “null and void.

One lesson for policyholders from the Cottage Health lawsuit is that the cyber insurance application process and its relation to policy conditions and exclusions must be managed with care, not only to avoid potential misstatements and omissions, but also to close off potential opportunities for the insurer to engage in “post-loss underwriting”; that is, after receiving notice of a loss, to search for inaccurate application responses—even those innocently made, and even those unrelated to the loss—to support a denial of coverage.  Both risk managers and IT personnel, with the assistance of cybersecurity experts if necessary, must actively engage in preparing the responses to cyber insurance application questionnaires and risk self-assessments.

In addition, any new cyber policy wording requires expert legal scrutiny before purchase, because these specialty insurance products can contain gaps or hidden traps. For example, Cottage Health might have averted its dispute with Columbia if the policy’s potentially onerous “Failure to Follow Minimum Required Practices” exclusion had been modified or deleted. Similarly, the policy’s strict “Application” and “Minimum Required Practices” clauses might have been moderated—for example, by limiting the right of rescission to cases of intentional misrepresentation of material facts.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of John Buchanan John Buchanan

John Buchanan, senior counsel in Covington’s Washington office and the firm’s first Insurance Practice Group Coordinator, has represented policyholders in insurance coverage advocacy, dispute resolution and counseling for nearly four decades. His practice has ranged from the early DES and asbestos coverage litigation…

John Buchanan, senior counsel in Covington’s Washington office and the firm’s first Insurance Practice Group Coordinator, has represented policyholders in insurance coverage advocacy, dispute resolution and counseling for nearly four decades. His practice has ranged from the early DES and asbestos coverage litigation to claims for some of the largest cyber losses in history. John has litigated, arbitrated or negotiated a wide variety of complex property and casualty insurance claims, from railroad derailment claims to satellite-in-orbit claims, and from silver-theft claims to cyber claims. The National Law Journal named him an Insurance Trailblazer in 2021, and Best Lawyers has twice named him Washington Insurance Lawyer of the Year. Chambers USA has also consistently recognized him in its national rankings for insurance coverage lawyers (currently as Senior Statesman, previously in Band 1), as have Best of the Best USA, Who’s Who Legal and other peer reviewed lawyer registries.

John became involved with emerging cyber-related coverage issues in the mid-1990s and co-authored one of the earliest treatise chapters on cyber insurance coverage in 2001. Starting with the network intrusion and payment card thefts discovered by TJX in 2006, he has represented policyholders pursuing claims for losses arising from data breaches reported to involve tens of millions of compromised records. John also regularly advises businesses in the management of their cyber and cyber-physical risks, such as those arising from products or services involving the Internet of Things (IoT)-, Artificial Intelligence (AI), Connected and Autonomous Vehicles (CAVs), and the Metaverse or “Web3.”
John speaks and writes frequently on novel or emerging risks, including in recent years the insurance issues arising from the Metaverse, the COVID-19 pandemic, AI and robotics, “InsurTech,” CAVs, the IoT, blockchain, drones, and social engineering fraud. He has taught a graduate-level course on Insurance Litigation at U.Conn. Law School’s Insurance Law Center, and he co-chaired the American College of Coverage Counsel/U.Conn. Virtual Mini-Symposium on pandemic liability coverage in late 2020.

Among other bar activities, John has served as an appointed Adviser to the American Law Institute’s Restatement of the Law of Liability Insurance, as well as on the Members’ Consultative Groups for the ALI’s Compliance, Enforcement, and Risk Management Principles project and the Restatement (Third) of Torts. He currently co-chairs the Cyber Subcommittee of the ABA Litigation Section’s Insurance Coverage Litigation Committee (ICLC), as well as the Cyber, Computer & Emerging Risks Committee of the American College of Coverage Counsel, of which he is an elected Fellow. He has also served on the ABA Dispute Resolution Section’s Task Force on Improving Mediation Quality; as an elected member of the Steering Committee of the Law Practice Management Section of the DC Bar; on the ABA Task Force for a Manual on Complex Insurance Coverage Litigation; on the Nomination Committee of the ACCC; and in various leadership roles for the ICLC, including as past Website Co-Editor-in-Chief and Co-chair of its annual meeting.

John is a graduate of Harvard Law School, Oxford University, and Princeton University. After clerking on the U.S. Court of Appeals for the Third Circuit, he has spent his entire legal career at Covington.

Photo of Ben Duke Ben Duke

Ben Duke advises and advocates for insurance policyholders in a broad range of complex litigation, arbitration and other matters involving all types of insurance, from general liability to D&O, professional liability, fidelity bond, and other specialized coverages.

Ben has helped obtain significant insurance recoveries…

Ben Duke advises and advocates for insurance policyholders in a broad range of complex litigation, arbitration and other matters involving all types of insurance, from general liability to D&O, professional liability, fidelity bond, and other specialized coverages.

Ben has helped obtain significant insurance recoveries on behalf of clients in many industries, including the financial services, technology, energy, and pharmaceutical industries. He is currently handling major coverage litigation in New York courts and has nationwide experience litigating in state and federal courts and in numerous arbitration forums. As co-lead trial and appellate litigation counsel, Ben recently helped a major technology company recover over $150 million in coverage for a massive government-mandated environmental remediation in Wisconsin’s Fox River.

Complementing his insurance recovery expertise, Ben also has extensive trial experience representing financial institutions in the defense of securities-related claims and other financial disputes. He was lead trial and appellate counsel in multiple federal cases and arbitrations arising from a massive “Ponzi” scheme, and he has represented securities issuers in litigation and investigations involving complex financial instruments and transactions.

Photo of Scott Levitt Scott Levitt

Scott Levitt has over twenty-five years of experience representing policyholders in numerous types of insurance coverage claims. These matters include cyber-risk, mass tort, asbestos, silica, mixed dust, environmental, product liability, employment discrimination, errors and omissions, first-party losses, crime and employee dishonesty. Scott has successfully…

Scott Levitt has over twenty-five years of experience representing policyholders in numerous types of insurance coverage claims. These matters include cyber-risk, mass tort, asbestos, silica, mixed dust, environmental, product liability, employment discrimination, errors and omissions, first-party losses, crime and employee dishonesty. Scott has successfully represented policyholders in insurance recovery proceedings in federal and state trial and appellate courts around the U.S., as well as in mediation and international and domestic arbitrations. Scott’s practice often involves negotiating and implementing complex settlements involving multiple parties outside of litigation.