May 26, 2017

May 25, 2017

Subscribe to Latest Legal News and Analysis

May 24, 2017

Subscribe to Latest Legal News and Analysis

May 23, 2017

Subscribe to Latest Legal News and Analysis

CNA Denies Cyber Insurance Claim

Key takeaway: The insurance applications and underwriting questionnaires prepared in connection with cyber insurance do matter.

Cyber security, and cyber insurance, have dominated the industry headlines for several years now, but even as companies, brokers and insurers work to develop these products, there has been a dearth of case law interpreting key provisions.  This is beginning to change as disputes arise and make through way through the judicial system.

One such suit came last week when CNA filed a declaratory judgment action against its insured Cottage Health System, seeking reimbursement of both defense costs and a $4.125 million settlement it had paid out on a claim made under Cottage’s cyber policy.  In January 2014, Cottage was sued in a class action in California state court, where it was alleged that the records of more than 30,000 of Cottage’s patients had been disclosed to the public via the internet.  Cottage allegedly stored such records on an internet-accessible system but failed to install encryption or use other safeguards.  The California court granted approval of the $4.125 million settlement fund in December 2014.  CNA, which had reserved rights, filed this action. 

In it, CNA invokes the exclusion for “failure to follow minimum required practices” which precludes coverage if the insured does not “continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance.” In its application Cottage had indicated that it regularly re-assessed its exposure to information security and privacy threats, among other, more specific, data-protection procedures. CNA asserts that this representation in the application was false.

Insureds and insurers in the cyber space would do well to watch this matter unfold.  The exclusion invoked, and the application questions it relies on, are broadly worded and may leave room for strong arguments on both sides.  Regardless of the outcome, we can be sure that this is only the beginning of judicial interpretation of the key terms of cyber-related policies. Interested readers can also review one of the first cyber-related decisions in the country, which came out of the District Court of Utah last week, here.

Credit:  Staff attorney Jacquelyn Burke

©1994-2017 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Cynthia Larose, Privacy, Security, Attorney, Mintz Levin, Law Firm
Member

Cynthia is Chair of the firm’s Privacy & Security Practice and a Certified Information Privacy Professional (CIPP).  She represents companies in information, communications, and technology, including e-commerce and other electronic transactions. She counsels clients through all stages of the “corporate lifecycle,” from start-ups through mid- and later-stage financings to IPO, and has broad experience in technology and business law, including online contracting issues, licensing, domain name issues, software development, and complex outsourcing transactions.

Cynthia has extensive...

617-348-1732