Many insurance coverage disputes can be, should be, and are settled without the need for litigation and its attendant costs and distractions. However, some disputes cannot be settled, and organizations are compelled to resort to courts or other tribunals in order to obtain the coverage they paid for, or, with increasing frequency, they are pulled into proceedings by insurers seeking to preemptively avoid coverage. As illustrated by CNA’s recently filed coverage action against its insured in Columbia Casualty Company v. Cottage Health System, in which CNA seeks to avoid coverage for a data breach class action lawsuit and related regulatory investigation, cyber insurance coverage litigation is coming. And in the wake of a data breach or other privacy, cybersecurity, or data protection-related incident, organizations regrettably should anticipate that their cyber insurer may deny coverage for a resulting claim against the policy.
Before a claim arises, organizations are encouraged to proactively negotiate and place the best possible coverage in order to decrease the likelihood of a coverage denial and litigation. In contrast to many other types of commercial insurance policies, cyber insurance policies are extremely negotiable and the insurers’ off-the-shelf forms typically can be significantly negotiated and improved for no increase in premium. A well-drafted policy will reduce the likelihood that an insurer will be able to successfully avoid or limit insurance coverage in the event of a claim.
Even where a solid insurance policy is in place, however, and there is a good claim for coverage under the policy language and applicable law, insurers can and do deny coverage. In these and other instances, litigation presents the only method of obtaining or maximizing coverage for a claim.
When facing coverage litigation, organizations are advised to consider the following five strategies for success:
“They promised to protect us from a cyber breach if we paid the insurance premium. We paid the premium. They broke their promise.”
It is critical to place the story in the proper context because, unfortunately, many insurers in this space, whether by negligent deficit or deliberate design, are selling products that do not reflect the reality of e-commerce and its risks. Many off-the-shelf cyber insurance policies, for example, limit the scope of coverage to only the insured’s own acts and omissions, or only to incidents that impact the insured’s network. Others contain broadly worded, open-ended exclusions like the one at issue in the Columbia Casualty case, which insurers may argue, as CNA argues, vaporize the coverage ostensibly provided under the policy. These types of exclusions invite litigation and, if enforced literally, can be acutely problematic and flat-out impracticable in this context. There are myriad other traps in cyber insurance policies—even more in those that are not carefully negotiated—that may allow insurers to avoid coverage if the language were applied literally.
If the context is carefully framed and explained, however, judges, juries, and arbitrators should be inhospitable to the various “gotcha” traps in these policies. Taking the Columbia Casualty case as an example, the insurer, CNA, relies principally upon an exclusion, entitled “Failure to Follow Minimum Required Practices,” which, as quoted by CNA in its complaint, purports to void coverage if the insured fails to “continuously implement” certain aspects of computer security. In this context, however, comprised of the extremely complex areas of cybersecurity and data protection, any insured can reasonably be expected to make mistakes in implementing security and this reality is, in fact, a principal reason for purchasing cyber liability coverage in the first place. Indeed, CNA represents in its marketing materials that the policy at issue in Columbia Casualty offers “exceptional first- and third-party cyber liability coverage to address a broad range of exposures,” including “security breaches” and “mistakes”:
Cyber Liability and CNA NetProtect Products
CNA NetProtect fills the gaps by offering exceptional first- and third-party cyber liability coverage to address a broad range of exposures. CNA NetProtect covers insureds for exposures that include security breaches, mistakes and unauthorized employee acts, virus attacks, hacking, identity theft or private information loss, and infringing or disparaging content. CNA NetProtect coverage is worldwide, claims-made with limits up to $10 million.
It is important to use the discovery phase to fully flesh out the context of the insurance and the entire insurance transaction in addition to the meaning, intent, and interpretation of the policy terms and conditions, claims handling, and other matters of importance depending on the particular circumstances of the coverage action.
 No. 2:15-cv-03432 (C.D. Cal.) (filed May 7, 2015).
 The named plaintiff is CNA’s non-admitted insurer, Columbia Casualty Company.
 CNA’s preemptory suit was dismissed without prejudice by order dated July 17, 2015 because CNA failed to exhaust alternative dispute resolution procedure in its policy.