Ride the Lightning

Cyberinsurer to Breached Customer: We Don't Cover Stupidity

July 29, 2015

Naked Security has a great story about the failure to pay off on an insurance claim after a data breach.

In 2013, California healthcare provider Cottage Health System discovered that security on one of its servers had been disabled, leaving tens of thousands of patients' files potentially open and exposed on the Internet. Those files included patients' names, addresses, dates of birth, and in a few cases, their diagnosis, lab results and procedures performed.

To no one's surprise, Cottage was sued, along with inSync, a company responsible for putting the records in a secure location online. As you might imagine, a lot of money was spent on a forensic investigation, security consultants to get rid of malware, patient notification, credit monitoring – and no doubt attorney fees.

Cottage had cyberinsurance to cover the breach but Columbia Casualty refused to pay up, pointing to a clause in the policy that effectively said it didn't have to cover the breach because Cottage hadn't followed "minimum required practices" as spelled out in the policy.

Specifically, Columbia claimed that Cottage "stored medical records on a system that was fully accessible to the Internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who 'surfed' the Internet."

The patient data had been exposed for about two months, starting in October 2013. There was no cyber attack – the data was publicly available – you could just Google it. Pretty tough to know who accessed the data.

Besides the failure to encrypt, Columbia alleges the following security shortfalls.

• Cottage and its third-party vendor, inSync, allegedly failed "to continuously implement the procedures and risk controls identified in its application" for the coverage, including…
• Configuration and change management for Cottage's IT systems as well as regular patch management.
• Alleged failure to regularly "re-assess its information security exposure and enhance risk controls" and to…
• "deploy a system to detect unauthorized access or attempts to access sensitive information stored on its servers."

AON PLC, the world's largest reinsurance broker, claimed in October 2014 that the cyberinsurance market was at the time growing by 38% annually – which I can well believe.

While cyberinsurance is, in my judgment, mandatory these days, there are potholes along the road.

As Dark Reading notes in its interview with Linde and Jake Kouns of Risk Based Security, insurers can dodge covering data breaches for a host of reasons, including:

• Not paying retroactively.
  Given that breaches can be discovered months or even years after they begin or end, organizations should carefully consider when coverage starts.
• Terrorism/act of foreign enemy exclusions.
  Many cyberattacks originate from outside a country's borders, and many of them are believed to be state sponsored. Depending on the policy's wording, your organization could be left high and dry. Experts advise negotiating the removal of such exclusions.
• Lack of coverage for negligence.
  Insurers are starting to cover only data theft, not negligence. If an employee loses a laptop with sensitive data, some policies won't cover it.

Amazingly, most folks enter into these policies without a full understanding of what is included and excluded. Might be a good time to review your cyberinsurance policy – or to get one!

E-mail:    Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
http://www.senseient.com
http://twitter.com/sharonnelsonesq
www.linkedin.com/in/sharondnelson