The article from Business Insurance is instructive as to the fluid legal nature behind cyber liability, data breach coverage and the need to have closely analyzed the policy form. An insurance carrier is asking a court of law to rule that they are not obligated to pay a $4.1 million dollar class-action settlement. The insured was Cottage Health System, based in Santa Barbara, California which had approximately 32,500 confidential medical records exposed to the internet. The carrier entered into the settlement talks after sending a ‘reservation of rights’ letter. The letter puts the insured on notice that the carrier, even though it is investigating and defending the claim, retains the right to later deny coverage. The inference was that the insurance carrier suspected that the insured had not abided by the terms and conditions of the policy form.
In fact, the carrier alleged that Cottage Health System failed to “follow the minimum required practices”. Coverage disputes happen with all insurance coverages because from time to time the insurer has to take a hard stance to protect the intent of the insurance policy. But how, and to what standard should “minimum required practices” be attributed and defined? The carrier responded by pointing to the insurance application that Cottage Health System completed, alleging that Cottage had “failed to ‘continuously implement the procedures and risk controls identified’”.
The take away from the article goes to the need to have a careful examination as to the coverage terms and conditions being offered. That is, it is vital for insureds to look to their insurance brokerage to negotiate out, or better define the carrier’s coverage grant and exclusions.