Insurance coverage for data breach incidents is a hot topic in the insurance world. Nowhere is it hotter than in the area of newly created specialty cyber policies designed specifically to cover such incidents—what do these policies cover, when should they be purchased and how much coverage should be obtained are questions we routinely encounter. But a Fourth Circuit decision decided April 11 serves as an important reminder that more “traditional” general liability policies should not be overlooked in the unfortunate event that one finds oneself facing liability for a data breach.
The case, Travelers Indemnity v. Portal Healthcare Solutions, LLC, was an action by Travelers seeking a declaration that it had no duty to defend its insured, Portal, in an underlying class action alleging negligence by Portal in inadvertently allowing healthcare records of its patients to be accessible over the internet. The policy issued by Travelers was a fairly standard commercial general liability (“CGL”) policy, which included personal and advertising injury coverage for, among other things, “electronic publication of material that gives unreasonable publicity to a person’s private life.” Travelers claimed that the allegations that the records were allowed to be made available on the internet was not a “publication.”
The Fourth Circuit had little trouble rejecting this argument, finding that the “publication” requirement was satisfied since the allegations, if proven, meant that “any member of the public with an internet connection could have viewed the plaintiffs’ private medical records during the time the records were available online.”
In so concluding, the court aligned itself with the few lower-level courts considering this issue and, given the prominence of the issuing court (the first federal appellate court to decide this issue) perhaps breathed additional life into the notion that CGL coverage is potentially available in these types of cases. One issue that was not addressed, because it was apparently not at issue, was whether such coverage exists when the publication is made by a third party, e.g. a hacking incident which triggers third party lawsuits against the hacked party.
Two years ago, in the highly publicized Sony Playstation data breach case, a New York lower court denied coverage on such grounds (though notably the court ruled that the hacking incident did result in a “publication” even though the hackers were the only ones, at least at that point, who had the data). That case settled before an appellate ruling was made. So the “third party hacker” issue may continue to linger (though its rationale is open to attack as it does not appear to be based on policy language). Other issues include the scope of protection under such policies, e.g., for fines, investigations, etc., and the increasing prevalence of exclusions for cyber liability.
Simply put, it would be an enormous mistake to view this decision as any kind of insurance cure-all—or a reason to avoid purchasing cyber insurance (if the need to do so otherwise exists). Nonetheless, the decision does at least provide helpful precedent in what are largely uncharted waters in the event general liability coverage is needed as a source of recovery for a data breach claim.