In May, we reported that Columbia Casualty Company ("Columbia") had commenced an action seeking a declaratory judgment in the United States District Court for the Middle District of California (2:15-cv-03432-DDP-AGR) that it is under no obligation to provide coverage to Cottage Health System ("Cottage") relating to a data breach which resulted in the disclosure of 32,500 of Cottage's patients' records that were stored electronically on its servers. Columbia had alleged that coverage is excluded due to Cottage's failure to follow the minimum required cyber-security practices represented its application for insurance. What could have been one of the first rulings on the merits addressing the scope of coverage relative to the cyber-security representations made by a policyholder in its application will have to wait.
On Friday July 17th, the court dismissed the complaint without prejudice, finding that Columbia was contractually obligated under the terms of the policy to submit the dispute to mediation prior to commencing the action. In that regard, the policy at issue provides that "any dispute amongst the Insurer and Insured in connection with this policy shall be submitted to the alternative dispute resolution ("ADR") process," The policy further provides that if mediation is the selected means of ADR, "no...judicial proceeding shall be commenced until the mediation shall have been terminated and at least 60 days shall have elapsed from the date of termination." Columbia did not dispute, nor did it allege in its complaint, that it had complied with the ADR provision of the policy before filing suit, apparently making it easy for the court to determine, as a matter of contract law, that it was required to dismiss the complaint based on Columbia's premature filing.
Accordingly, the parties will either resolve their differences through mediation or other negotiated settlement, or return to court once there has been compliance with the mediation process required under the policy.