Businesses both large and small are facing an ever-evolving landscape of threats to their cybersecurity, from infiltration by computer hackers to elaborate criminal schemes designed to trick employees into wiring money to overseas bank accounts.
While insurance policies are available for a range of data security risks, disputes between policyholders and insurers are inevitable, as evidenced by a California health network's battle with its insurance carriers for coverage of expenses tied to a data breach and a seafood company's appeal of a ruling that its insurer needn't cover losses it suffered in a money transfer scam.
Here, Law360 takes a look at four cases that could shape the future of coverage for cybersecurity threats.
Cottage Health v. Columbia Casualty Co.
In one of the first cases testing coverage under a cyber-specific insurance policy, Cottage Health System is headed to trial in a Santa Barbara, California, court this fall against its primary and excess insurance carriers over more than $4 million in data breach-related costs. The case is notable because it marks the first time a court has been asked to interpret cyberinsurance policy language requiring the policyholder to comply with specified network security requirements, attorneys said.
"It is going to be an important reminder for policyholders, however the case may turn out, that care is required with cyber policies that impose requirements for the level of security that the policyholder has to apply," said Anderson Kill PC shareholder Joshua Gold. "That is a shifting analysis, as the threats continue to morph. What may have been a sound security measure 18 months ago may now be outdated. It can be quite subjective and very much in flux."