It was bound to happen sooner or later.
An insurer is holding a client that suffered a breach to the terms in their insurance policy regarding “minimum required practices,” which are necessary to keep the policy in force.
In this case, “minimum required practices,” for example, include:
- Check for security patches to your systems at least weekly and implement them within 30 days.
- Replace factory default settings to ensure your information security systems are securely configured.
In fact, these two items were voluntarily affirmed by the client, Cottage Health System, as part of the practices they performed when they applied for the insurance.
This case, further, has implications for those who do supply chain management and who contract with third parties for their cyber security, since the fault in this case lay also with a third-party vendor.
The heart of the allegation is that the insurance policy requires an insured to maintain a cyber-hygiene protocol; and to cause any third party vendors to maintain a cyber-hygiene protocol — at least as good as the insured’s. These are just some of the items in the list for “minimum required practices,” to keep the insurance in force. The client must also patch any vulnerabilities addressed within 30 days.
CNA is alleging breach of warranty of “minimum required practices” since the vendor’s system was breached by exploiting known vulnerabilities for which security patches have long been available. The suit also mentions sanctions levied by California and the Department of Justice for HIPAA and state privacy law violations.
This is the first time an insurer has decided to file suit to deny coverage based upon the principle that the insured should have known what their system’s vulnerabilities were and should also have known what their vendor’s vulnerabilities were.
Usually, an insurer will simply send a letter to a client denying the claim when payment of the claim is in dispute.
Not this time.
Why should Columbia Casualty wait for their hospital client to sue them? Columbia is so certain of their legal standing they went with a request for a declaratory judgement.
To see Columbia Casualty’s pleading to the judge for a declaratory judgement against their client, click here.
What should not be lost in any of this are the software and device manufacturers’ foisting of their liability onto the hospital by producing devices and software with known vulnerabilities, and forcing the hospital to assume any liability at the time of purchase of the software or devices.
These same vulnerabilities, for which the hospital is now liable, are preventing the hospital from collecting on insurance bought specifically because the software and device manufacturers forced their liability onto their customer. Talk about adding insult to injury.
(Columbia Casualty Company provides casualty insurance products and services. The company is based in Chicago, Illinois. Columbia Casualty Company operates as a subsidiary of Continental Casualty Company, Inc, which is the principle subsidiary of CNA.)