As data breaches have continued to grow over the past few years, interest in cyber insurance coverage has grown along with it. This week, the Fourth Circuit upheld a lower court’s ruling in Travelers Indemnity Co. of America v. Portal Healthcare Solutions, LLC, finding that a commercial general liability (CGL) insurance policy covered the cost to defend claims regarding a data breach.
In an unpublished opinion, a panel of the Fourth Circuit affirmed the Virginia District Court’s August 2014 decision that Travelers Indemnity Co. was obligated to defend Portal Healthcare Solutions in a class action lawsuit pending in New York state court. The underlying class action alleged that Portal failed to secure a server containing confidential records of patients at a New York hospital, leaving the records available to view online for more than four months without a password. Two patients discovered their records online following an internet search, but there was no evidence that any third parties viewed the information.
In looking at the four corners of the complaint and the underlying CGL insurance policy, the Fourth Circuit agreed that the mere availability of the private medical information online constituted “publication” under the CGL policy’s provision providing coverage for “electronic publication” of material regarding a person’s private life, thereby triggering the duty to defend.
Although the decision is favorable to policyholders, there are a number of important caveats. For instance, insurance policy language can vary substantially between carriers, and the unpublished decision is not binding on other courts. Notably, the decision contrasts a 2015 holding by the Connecticut Supreme Court finding that a CGL policy did not cover a loss of computer tapes containing employee personal information when there was no evidence of personal loss, no evidence that any third party ever accessed the information, and thus no “publication” of the information as required by the CGL policy.
In recent years, it has become increasingly difficult for policyholders to secure coverage for data breaches under CGL policies given the continuing trend of “electronic data” exclusions. Moreover, CGL policies often contain express language clarifying that electronic data does not qualify as “tangible property,” a prerequisite for a finding of “property damage” under such policies.
Given that these policy limitations are becoming more prevalent, companies hoping to have coverage in the event of a data breach should evaluate whether their current policy appropriately covers cyber and data breach risks, or whether they may need to obtain a separate cyber liability policy specifically tailored to cover such risks.