A federal judge in Los Angeles dismissed a potentially landmark case in cyber insurance, though his decision offers no legal ruling on the “best practices” exclusion.
In 2013, Cottage Health System suffered a data breach in which 32,000 confidential records were compromised. The breach resulted in a class action lawsuit, which Cottage settled for $4.1 million. Columbia Casualty Co., the company that had insured Cottage Health System’s cyber policy and paid the settlement, filed a lawsuit seeking recovery of the paid claim, citing the policy’s “best practices” exclusion.
The “best practices” exclusion states that if a vendor identifies and notifies companies of a security breach, and they fail to take appropriate actions, the companies will be held liable. The exclusion required Cottage Health System to maintain certain minimum practices regarding cyber security, like checking for and implementing security patches.
While this was the first true legal test of the “best practices” exclusion, this ruling will likely have little impact on the future of the exclusion. The judge dismissed the claim because Columbia Casualty Co. failed to go through a policy-mandated mediation procedure before filing its lawsuit, as the policy had stipulated.