"Mistake Clauses": A More Pro-Insured Take on "Clueless Clauses" (That I Disagre
I ran across a more pro-insured take on Clueless Clauses on FarellaCoverageLaw.com's Policyholder Perspective Blog. That thinks that Clueless Clauses are bad. I disagree with it, but it's definitely worth the read.
Dennis Cusack (the author of the linked post) refers to the Clueless Clause as a Mistake Clause because they essentially exclude coverage if the insured makes a cyber security mistake. He points out that Clueless Clauses are horrible for insureds. They essentially deny coverage if the insured does not do cyber security right, which is exactly why the insureds bought the policy in the first place.
I agree with Cusack on the effect of the clause, but I disagre with Cusack's view on the desirability of mistake clauses on several levels.
First, I do not think the Clueless Clause was unclear. As Cusack puts it:
"Columbia [the insurer] really only seems to want to insure against a criminal hacker attack that beats the best security system money can buy. But if that’s so, it could have said that easily enough."
Cusack feels that if that is what the insurer wanted, they could have said so. I think the insurers did. The policy spelled out exactly what the insured needed to do. The insured simply did not do that.
Second, I disagree with Cusack's characterization of a cyber breach caused by not keeping up cyber security standards as an innocent breach. I think that a large organization with other people's data that fails to take proper precautions is like a bank putting the contents of vault out on a street corner. They might not steal it themselves, but their incompetence at safely storing the data is the reason it got stolen.
Imagine a bank takes your invaluable property and promises to secure it. The bank then buys insurance against the property being lost. The insurer says "Sure, but you have to secure it." Since that might be ambiguous, the insurer gets really specific about vaults and locks and guards. The bank smiles, nodds, pays the premium, and does not do anything. No vault, no lock, no guards. Surprise, surprise, they get robbed. All your stuff is gone. The bank turns to the insurer and asks for the money. I think the insurer's denial for not bothering with security is good public policy --it encourages the bank to actually secure the property. It also reflects the intent behind the contract --the underwriting that set the price of the insurance policy depended on the bank doing security and the bank's failure increased the risk.
Third, I do not agree that the clauses render coverage a "nullity". I think that if you picked up one thing reading the news about cyber security, it was that nothing is invulnerable. The Clueless Clause effectively limited coverage to situations where the insured got hacked despite-not-because of their cyber security, an unfortunately real possibility.
In my view, Clueless Clauses put the responsibility for maintaining good security on only people that can --the people who hold that data. Shifting the risk to insurers would only drive up premiums for insureds who protect the data like they ought to and reduce the costs of being careless with the data. I cannot see how that is a good outcome.
That said, I cannot imagine any insured wanting a Clueless Clause if they could avoid one.