Choose from any of our reports and we will be happy to send it/them to you via email at no cost.

Making Promises You Can’t Keep

You can sometimes get away with it.  Just not when the promise is made to an insurance company.

Cottage Health System of California found that out when they suffered a computer breach, and then had their cyber-policy claim denied by the insurer.

Insurance companies ask you questions on applications, sometimes vague questions with only a yes or no answer.  They add exclusions to their policies containing ambiguous, broad language that can only be interpreted later in court.  They collect the premium for the policy and don’t worry much about what you said on the application until after there is a claim.  The insurance market is like quicksand.

In the case, Continental Casualty v. Cottage Health Systems, the insurer denied the claim on two bases: 1) misrepresentation and 2) the triggering of an exclusion for “failure to follow minimum required practices.”

The Misrepresentation

The application asked (among many other similar ones):

QUESTION: “Do you check for security patches to your system at least weekly and implement them within 30 days?”

ANSWER: “yes”

THE PROBLEM: We should only promise to maintain a program or a policy to do such things;  we should not guarantee that we will do each specific task 100% of the time, which is a non-achievable obligation.

The Exclusion

The exclusion reinforced the non-achievable nature of the promise by saying:

“the Insurer shall not be liable to pay any loss…in any way involving: any failure of an Insured to continuously implement the procedures and risk controls identified…” (emphasis added).

Think of an analogy.  You agree to implement a vehicle fleet policy that prohibits cell phone use while driving.  Can you guarantee no employee ever will use a cell phone while driving?  Are you ok if the insurer denies your auto claim if that happens?  I don’t think so.

In the cyber world, even given the best of programs, things will fall through the cracks.  No matter how strong the order, some employee at some point will not install the patch, change the password, encrypt the doc, etc., etc.  We need the insurer to require us to in good faith implement the programs we say we will implement, but to still cover us if some cog in the system breaks down.

And as a general matter, never agree to install security that is “reasonable,” “up to date,” “meets prevailing standards,” or anything of that nature.  These words will be undefined in the policy, and, just as bad, standards are evolving at lightning speed.

The cyber insurance world is a frontier now.   It will settle down at some point in the future.  In the meantime, insureds need to be careful what they promise.

Jun 19, 2015

Licata Risk Licata Risk & Insurance Advisors, Inc.
137 South Street, Second Floor
Boston, MA 02111-2848
617-451-2140     [email protected]
LicataRisk Advisors is an independent risk management and insurance consulting firm. We are not brokers and we do not sell insurance. We are not connected to any insurance company or product in any way and do not receive commissions. This is an important difference as you will have an expert on your side who is only committed to you.

Licata Risk is not a law firm and does not practice law. General advice and contract input by the consultants, including those who are attorneys, is to provide insight into the risk and insurance aspects. Your attorney should be the final authority on any legal matter.