"Clueless Clause": A Cyber-Liability Exclusion
Cyber Liability policies are beginning to generate their own coverage issues. Late last month, Coumbia Casualty Company filed a declaratory judgment action in federal court (Central District of California) to deny coverage for a data breach under a "Clueless Clause". See news story here.
("Clueless Clause" probably was not a term of art until now. I picked it up from SecurityLedger.com. But it fits.)
Health care provider has data. Data leaks because health care provider was negligent with their data. Insurer tries to deny coverage under the following Exclusion:
O. Failure to Follow Minimum Required Practices
based upon, directly or indirectly arising out of, or in any way involving:
1. Any failure of an Insured to continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance and all related information submitted to the Insurer in conjunction with such application whether orally or in writing;…
"Clueless Clause" seems like a good description. It excludes coverage if the insured doesn't bother with security.
The complaint alleges that Cottage Health Systems warranted that it had security measures that it did not actually have. Cottage Health Systems had (accidentally I hope) made all its private data public to the web. They even let Google's spiders (the bots that index the internet so it shows up on search results) read the data. It literally came up on google searches. And they did not patch. Or change default settings. Or have intrusion detection. Or track changes to the data. They basically just put tons of health info online for the world to see.
Columbia therefore seeks to deny coverage. I can't say I blame them.
There's also a HIPPA issue running around because Cottage Health Systems exposed people's private medical information. Columbia does not want to cover the DOJ investigation either.
Anyways, I'm curious how these Clueless Clauses pan out.