Making Promises You Can’t Keep
You can sometimes get away with it. Just not when the promise is made to an insurance company.
Cottage Health System of California found that out when they suffered a computer breach, and then had their cyber-policy claim denied by the insurer.
Insurance companies ask you questions on applications, sometimes vague questions with only a yes or no answer. They add exclusions to their policies containing ambiguous, broad language that can only be interpreted later in court. They collect the premium for the policy and don’t worry much about what you said on the application until after there is a claim. The insurance market is like quicksand.
In the case, Continental Casualty v. Cottage Health Systems, the insurer denied the claim on two bases: 1) misrepresentation and 2) the triggering of an exclusion for “failure to follow minimum required practices.”
The application asked (among many other similar ones):
QUESTION: “Do you check for security patches to your system at least weekly and implement them within 30 days?”
THE PROBLEM: We should only promise to maintain a program or a policy to do such things; we should not guarantee that we will do each specific task 100% of the time, which is a non-achievable obligation.
The exclusion reinforced the non-achievable nature of the promise by saying:
“the Insurer shall not be liable to pay any loss…in any way involving: any failure of an Insured to continuously implement the procedures and risk controls identified…” (emphasis added).
Think of an analogy. You agree to implement a vehicle fleet policy that prohibits cell phone use while driving. Can you guarantee no employee ever will use a cell phone while driving? Are you ok if the insurer denies your auto claim if that happens? I don’t think so.
In the cyber world, even given the best of programs, things will fall through the cracks. No matter how strong the order, some employee at some point will not install the patch, change the password, encrypt the doc, etc., etc. We need the insurer to require us to in good faith implement the programs we say we will implement, but to still cover us if some cog in the system breaks down.
And as a general matter, never agree to install security that is “reasonable,” “up to date,” “meets prevailing standards,” or anything of that nature. These words will be undefined in the policy, and, just as bad, standards are evolving at lightning speed.
The cyber insurance world is a frontier now. It will settle down at some point in the future. In the meantime, insureds need to be careful what they promise.
Jun 19, 2015