If you have anything to do with cybersecurity, privacy, or insurance, you undoubtedly have heard that the U.S. Court of Appeals for the Fourth Circuit ruled in April that a Commercial General Liability (CGL) insurance policy provides coverage for a data breach, in the case Travelers Indemnity v. Portal Healthcare Solutions. In the last few years, insurance companies have been marketing cyberinsurance policies as the product designed for cybersecurity and privacy risks. So how could it be that a CGL insurance policy – which insurance company lawyers proclaim were not “meant” to cover data breaches – provides coverage for data breaches? We discuss the well-reasoned Portal Healthcare decision, which bolsters policyholders’ rights to collect under CGL policies, below.
The first question when reviewing a CGL policy to determine if it provides coverage for cybersecurity breaches is was there bodily injury, property damage, or personal and advertising injury? Most standard form CGL policies contain “personal and advertising injury” that pay and defend against damages because of publication of material that violates a person’s right to privacy. In the context of cybersecurity and data privacy incidents, courts have considered whether there was “publication” within the meaning of the insurance policy language.
What happened in Travelers Indemnity v. Portal Healthcare?
In Travelers Indemnity v. Portal Healthcare Solutions, LLC, patient records were published on the Internet and were searchable by different search engines. Portal sought coverage under two policies which would require “Travelers to pay sums Portal becomes legally obligated to pay as damages because of injury arising from (1) the ‘electronic publication of material that … gives unreasonable publicity to a person’s private life’ . . . or (2) the ‘electronic publication of material that … discloses information about a person’s private life.’”
The trial court’s decision that Travelers had a duty to defend
The class action had alleged “that patients’ confidential medical records were accessible, viewable, copyable, printable, and downloadable from the internet by unauthorized persons without security restriction from November 2, 2012 to March 14, 2013.” Because the alleged harm spanned two successive CGL policy periods, the court considered coverage under both insurance policies.
Travelers raised several reasons why it should not provide coverage under either policy. The district court rejected each of Travelers’ arguments. Travelers provided a dictionary definition of “publication” suggesting that publication requires the policyholder “‘to place before the public (as through a mass medium).’” The court ruled that because the records could be found via an Internet search, that qualified as publication. The court found that publication had occurred because “exposing confidential medical records to public online searching placed highly sensitive, personal information before the public. Thus, the conduct falls within the Policies’ coverage for ‘publication’ giving ‘unreasonable publicity’ to, or ‘disclos[ing]’ information about, a person’s private life, triggering Travelers’ duty to defend.”
The court also rejected Travelers’ argument that Portal Healthcare had not intentionally published the information. Specifically, the court found that making the patients’ information available through an Internet search engine amounted to a publication, even if the records were not intentionally exposed to public view, as “an unintentional publication is still a publication.” Travelers then asserted that there was not a publication “because no third party is alleged to have viewed the information.” Further, the court also found that it did not matter whether or not a third party had actually accessed the information, “[p]ublication occurs when information is ‘placed before the public,’ not when a member of the public reads the information placed before it.
Finally, the court was careful to distinguish the Recall Total Information Management Inc. v. Federal Insurance Co., 147 Conn. App. 450, 83 A.3d 664 (2013) decision. The Recall Total case had tapes fall out of a van, and there was no evidence that the information was seen by a single person. That set of facts was distinguishable from a situation in which third parties did actually see the information.
Thus, the district court found that publication occurred and the insurance company was to provide a defense to the underlying action.
The Fourth Circuit affirmed the “sound legal analysis” of the trial court
On appeal, the Court of Appeals for the Fourth Circuit affirmed the district court’s decision, based “on the reasoning of the district court.” The Fourth Circuit “commend[ed] the district court for its sound legal analysis.” The Fourth Circuit looked to the four corners of the insurance policy and the complaint to determine whether there was a duty to defend or not. Crucially, the Fourth Circuit explained that “if there are particular types of coverage that [an insurance company] does not want to provide,” it must use clear and unambiguous language to do so. Under those basic insurance coverage law principles, the Fourth Circuit affirmed the trial court decision.
Four takeaways from the Fourth Circuit and a final thought
First, this is a terrific decision from the Fourth Circuit for policyholders. It is the leading decision from the highest level court that is directly on point regarding CGL insurance coverage for data breaches. And it ruled that CGL policies do provide coverage for data breaches.
Second, this reminds policyholders to think broadly about coverage for data breaches. Even if a policyholder has other insurance that could provide coverage for a data breach class action, such as a cyberinsurance policy, CGL policies still could provide coverage. That is crucial because standard form CGL policies are not “eroding” or “wasting” policies. Under standard form CGL policies, defense costs do not erode the policy limits. For example, if the policyholder has a CGL policy with $1 million in policy limits, and spends $1 million defending a data breach class action, the full $1 million remains for a covered settlement or judgment.
Third, insurance industry personnel will be quick to assert that in 2014, the insurance industry rolled out exclusions purporting to eliminate coverage for data breaches under CGL policies. But those exclusions are not found in every policy. Again, that is crucial because multiple CGL policies could provide coverage. CGL policies provide “occurrence” coverage. An “occurrence” policy looks to the timing of the injury or harm to figure out which policy year provides coverage. So, for example, if a data breach class action alleges harm going back to 2014 or earlier, policyholders might be able to access coverage under the policies in place in 2013, 2014, and later.
That’s exactly what happened in Portal Healthcare: the court analyzed coverage under two Travelers policies, because the allegations of harm stretched over two Travelers CGL insurance policies. Even if a 2015 CGL policy contains a so-called data breach exclusion, earlier CGL policies still could provide a defense. The rule in most states is that when an insurance company has to defend a suit, it must defend the entire suit, so a single CGL policy could be obligated to provide a complete defense to a data breach action.
Fourth, it should be noted that new so-called data breach exclusions have yet to be tested in court. It is unclear whether they will act as a silver bullet, as insurance industry personnel profess. Some courts, for example, have refused to apply so-called “absolute” exclusions for certain claims, such as the so-called absolute pollution exclusion. Indiana courts have ruled that the absolute pollution exclusion is ambiguous and have refused to apply it in many circumstances that insurance companies said involved pollution.
Finally, this decision is a reminder that policyholders should think broadly about insurance coverage for data breaches, cyberattacks, cybersecurity events, and other data privacy incidents. Even if an insurance company denies coverage, or industry personnel suggest that CGL policies were not “meant” to cover data breaches, the Fourth Circuit has rejected those positions soundly.
This article was previously published on Advisen Cyber FPN.