I wrote about 21st Century Oncology in March (see post here) when the FBI came knocking on their door. The result? 2.2 million records compromised. At that time they said that they likely did not have enough insurance to cover the costs of the breach.
Fast forward six months.
Law360 is reporting that Charter Oak Fire Insurance and Travelers Property Casualty Co. have asked a Florida court to rule that they have no duty to defend.
There are currently 17 class action suits pending. If these insurance companies are found to have a duty to defend 21st Century Oncology, they will spend millions doing that. Maybe tens of millions.
This incident was a cyber breach. These insurance policies do not appear to be cyber policies. Given that 21st Century has already said that they are concerned that they do not have enough insurance that they are likely at grasping at straws.
Part of the reason that these lawsuits have been filed is that the plaintiffs say that 21st Century should have notified them sooner.
The breach happened, they say, around Oct. 3, 2015.
The FBI told them about the breach on Nov. 13th.
21st Century notified patients of the breach on Mar. 4, 2016, at the request, they say, of the FBI to delay notification. I am not familiar with Florida law, but most states have an exemption from prompt notification when law enforcement requests it. Assuming this is the case in Florida and assuming the FBI did ask for the delay, I don’t think this part of the case has much of a chance of succeeding. However, I am not a lawyer and I certainly don’t pretend to be able to predict what juries will do.
I assume that the 17 pending class actions have a lot more claims in them that they will have to defend against.
The company’s 10-Q for the first quarter of 2016 said that they are “highly leveraged”, with over $1 billion of long term debt and are experiencing losses from operations. Given the financial challenges that they will have to deal with over the next several years, this is not a great situation. They have not revealed how much coverage they have. I don’t think I would buy their stock right now.
For other companies, this is a great opportunity to look at the risks that they face and the coverages that they have and determine if they are aligned with each other.
Many companies have a $1 million or $3 million cyber liability policy. For small companies, this is probably fine. For a company with 800 physicians and 140 facilities, how much coverage is appropriate – In a highly regulated, highly targeted industry? How much coverage could they buy at any price?
And, you can count on the fact that come renewal time, either they won’t be able to renew, the retained liability (deductibles) will be through the roof or the premium will be out of sight. We already saw this with Anthem after their breach.
I suspect that their troubles are only beginning.
My recommendation is (a) plan now, (b) have enough coverage and (c) make cyber risk mitigation a priority.
Information for this post came from Law360 (registration required).