I have written several times about the fight between Cottage Health System and Columbia Casualty, a division of CNA Insurance.
In 2013 Cottage’s systems were breached and the private information of thousands of patients was publicly disclosed. Their insurance company paid $4.125 million for costs related to the breach, including a class action lawsuit.
That is the end of the good news. Last year Columbia filed suit against Cottage demanding their money back. They cited a number of reasons.
First, they said that Cottage failed to follow minimum required practices, which is a coverage exclusion in the policy. Columbia said that Cottage’s failure “to continuously implement the procedures and risk controls identified in the Insured’s application means that they don’t need to cover Cottage’s losses.
Translated from the original legalese, this means that Cottage claimed that they had implemented certain security policies and operational procedures when they completed their insurance application and in fact, they did not. Or, they did have those policies and procedures, but they did not actively follow them.
Some of the things that Columbia said that Cottage claimed they did but did not include:
- Replace factory default passwords
- Regularly patch their systems
- Exercise due diligence over its information security management vendor’s safeguards
Columbia says that even if the hospital did not intend to lie, the “misrepresentation or omission of material fact” is enough, under the terms of the policy, to cancel the policy. So, they are saying, not only do they not want to pay, but they want to cancel the policy all together.
Let’s separate this into two conversations.
First, if Cottage Health really did not change default passwords, promptly patch their systems, or have an effective vendor management program, then they are (a) pretty typical and (b) lucky that it only cost them $4 million to recover. Those are pretty basic things that everyone better be doing,
On the other hand, and this is much more important, it points to the complexity of cyber risk insurance.
How many people, especially in a relatively small business, would understand what failure to follow minimum required practices means. As I understand, the term was not further defined in the policy.
Although the article in National Law Review says the lawsuit was recently filed, it was actually filed over a year ago. Hopefully that does not point to a long editorial cycle on the web site’s part. Last I heard, the complaint has been withdrawn and the two parties are trying to work out a compromise out of court.
However this turns out, it is unlikely that Cottage will be receiving any more checks from Columbia as the costs of this breach may continue and in fact, they may have to find a new insurance company.
Trying to find a new insurance company after this “dispute” with their current insurance company has been plastered all over the news may not be easy.
The watch word here is BEWARE! The world of cyber risk insurance is somewhat like the Wild Wild West. It is definitely the world of buyer beware.
Information for this post came from National Law Review.