Key Notes:

  • Fourth Circuit finds coverage for exposure of private medical information under traditional business insurance policy
  • Ruling may not apply in other instances or to other cyber risks
  • Businesses should consider their particular cyber risks and tailor coverage under traditional and cyber insurance policies accordingly

In a closely-watched case, Travelers Indem. Co. of Am. v. Portal Healthcare Solutions (4th Cir. April 11, 2016), the United States Court of Appeals for the Fourth Circuit affirmed a decision by the United States District Court for the Eastern District of Virginia, finding that Travelers is obligated to defend a class action lawsuit pending in the New York state courts alleging that Portal Healthcare Solutions made patient medical records accessible on the internet. The decision is significant because the court found coverage under a policy providing a variant of traditional “personal and advertising injury” coverage commonly found in commercial general liability (CGL) insurance policies.

The Fourth Circuit issued a short per curiam opinion adopting the reasoning of the District Court. The District Court found that the underlying class action complaint contained allegations sufficient to require Travelers to defend under policy provisions providing coverage for “electronic publication of material that ... gives unreasonable publicity to a person’s private life” (in a 2012 policy) or the “electronic publication of material that ... discloses information about a person's private life” (in a 2013 policy). The District Court found, and the Fourth Circuit affirmed, that making the medical records available on the internet satisfied the “publication” requirement.

Most CGL policies contain coverage for “personal and advertising injury.” The Insurance Services Office (ISO) provides policy forms that many carriers use to write CGL coverage. Form CG 00 01 03 13 (2012) defines “advertising injury” to include “oral or written publication, in any manner, of material that violates a person’s right of privacy.” The ISO form is arguably broader than the language used in the Travelers’ policies in Portal Healthcare Solutions.

Although the Portal Healthcare Solutions case is favorable to policyholders facing a data breach, there are a number of important caveats:

  • The decision is not binding on other courts.
  • The decision applies only to the disclosure of private information, and does not apply to other cyber claims, such as denial of service attacks, ransomware, etc.
  • Advertising injury policy language can vary substantially among carriers and even among policies issued by the same carrier, and the holding in the case may not apply to other language.
  • ISO has prepared endorsements designed to eliminate or drastically restrict coverage for cyber events under CGL policies. Some carriers are using them or similar restrictive language.
  • The insurance industry is trying to cause businesses to purchase stand-alone cyber coverage, which many carriers now offer.

Instead of waiting for a cyber event, businesses should assess their particular cyber risks and work with their insurance broker and coverage counsel to structure an insurance program designed to cover those risks. Although no one can predict how a carrier will respond to a particular claim, a tailored coverage program should provide a foundation for a reasonable outcome.