A California state court recently rejected an excess insurer’s attempt at an early exit from litigation over whether it owes coverage for cyber liabilities. In that case (previously summarized here), the policyholder, Cottage Health, suffered a data breach resulting in the disclosure of patients’ private medical information. Subject to a reservation of rights, Cottage Health’s primary insurer, Columbia Casualty, paid millions of dollars to help respond to the data breach and to defend and settle a class action lawsuit filed against Cottage Health. Cottage Health’s excess insurer was Lloyd’s.

Lloyd’s moved to dismiss the claims against it arguing that its coverage obligations had not been triggered since the $10 million of underlying primary limits in Columbia’s policy had not yet been exhausted. The court rejected that argument for two reasons.

First, Lloyd’s failed to establish that the primary limits were, in fact, not exhausted. Second, Lloyd’s did not show that applicable primary limits were actually $10 million. Instead, Lloyd’s had assumed that there was coverage under the primary Columbia policy “to the full extent of its stated limits and that coverage under the Columbia Policy is not subject to limitation.”

The court also refused to dismiss the policyholder’s claim for declaratory relief against Lloyd’s. It explained that, in addition to the deficiencies above, exhaustion of underlying limits was not necessary to create an actual controversy between a policyholder and its excess insurer.

We will continue to keep our readers updated on this case, which thus far is one of only a handful of active cases involving a dispute under policies designed to cover cyber risks and liabilities. More are sure to follow.