In a highly anticipated decision, the Fourth Circuit has ruled that commercial general liability ("CGL") insurance policies provide defense coverage for class action lawsuits arising from a data breach. The decision, Travelers Indemnity Company of America v. Portal Healthcare Solutions, LLC, Case No. 14-1944, could open the door for coverage under CGL policies for companies that are victims of similar data breaches.
For almost two decades, CGL policies have covered claims alleging privacy violations due to disclosure of electronic data over the internet. The coverage is found in the Personal and Advertising Injury Section, where one of the covered offenses is: "publication, in any manner, of material that violates a person's right of privacy."
Based on this language, many companies facing class action lawsuits in the aftermath of cyber attacks have turned to their CGL insurers for coverage. But for the last several years—as the number of cyber attacks has mounted—U.S. insurers have routinely denied coverage for such claims. They argued that CGL policies are "not intended" to cover data breach claims, and that exfiltration of data in a cyber attack does not involve a publication of material by the policyholder. There has been significant litigation on these issues, but little guidance from the courts—until now.
In Travelers, a class action lawsuit was filed against Portal Healthcare, alleging that Portal had negligently allowed confidential patient data to be posted on the internet, where it could be accessed by a simple internet search. The policies at issue contained a variation of the usual language and provided coverage for "electronic publication of material" that discloses information about a person's private life. The trial court ruled that private patient information was "published" when that information became accessible to unauthorized third parties via the internet—regardless of whether the policyholder intended to make the material public or whether anyone actually viewed the data. The Fourth Circuit Court of Appeals endorsed the trial court's analysis and held that Travelers had a duty to defend the class action lawsuit.
The impact of the Travelers decision could be significant. It opens new avenues of coverage for companies forced to litigate class actions alleging disclosure of private data in a cyber attack. To be sure, such claims are typically covered under cyber insurance policies—which will become increasingly important as new exclusions are added that limit CGL coverage. But many companies do not yet have cyber insurance or have insufficient policy limits. For these companies, we recommend that they take a close look at their CGL policy to see if it covers the costs of defending and settling data breach claims. If the CGL insurer has already denied coverage, it may be worthwhile to have coverage counsel take a second look in light of the Travelers decision.