Despite what many insurance underwriters have been suggesting for some time, policyholders facing cybersecurity litigation or other cyber incidents should not overlook the availability of coverage under traditional Commercial General Liability (CGL) policies. A significant and recent decision from the United States Court of Appeals for the Fourth Circuit demonstrates that non-cyber, traditional policies may afford coverage for modern, cyber-related losses. Despite the possible applicability of CGL coverage, however, policyholders also should strongly consider the need for specialized cyber insurance policies to address their specific business operations.

A recent decision from the United States Court of Appeals for the Fourth Circuit is an important victory for policyholders seeking coverage for data breaches under traditional CGL insurance policies. In an unpublished opinion, the Fourth Circuit affirmed a 2014 Virginia district court’s decision that Travelers Indemnity Company had a duty to defend Portal Healthcare Solutions LLC against a putative class action lawsuit that alleged that Portal’s failure to secure its server made medical records accessible to unauthorized users online. Travelers Indem. Co. of Am. v. Portal Healthcare Sols., L.L.C., 2016 WL 1399517, at *1 (4th Cir. Apr. 11, 2016).

The case arose out of a data breach involving Glen Falls Hospital in New York. Travelers Indem. Co. of Am. v. Portal Healthcare Sols., LLC, 35 F. Supp. 3d 765 (E.D. Va. 2014). In April 2013, two individuals filed a class action complaint alleging that Portal and others negligently allowed their private medical records to be publicly available on the Internet for more than four months. Id. at 768. Plaintiffs alleged that when they Googled their own names, they discovered that the first link was a link to their medical records at Glen Falls Hospital. Id. The hospital confirmed, in a notice posted on its website, that transcribed doctors’ notes containing medical information on 2,360 patients were publicly available on the Internet for about four months.

Portal argued that it was entitled to insurance coverage under two CGL policies issued by Travelers, which provided coverage for sums that Portal became legally obligated as damages for the “electronic publication of material that ... gives unreasonable publicity to a person’s private life” and the “electronic publication of material that ... discloses information about a person’s private life.” Id. at 767. Significantly, and as explained in more detail below, Portal’s policy did not contain any of the recent restrictions on coverage adopted through the Insurance Services Office (ISO) purporting to bar coverage for data breaches. In July 30, 2013, Travelers responded to the policyholder’s request for coverage by suing Portal in the Eastern District of Virginia, seeking a declaration that it was not obligated to defend Portal in the class action case because the complaint failed to allege a covered “publication” by Portal. Id. The parties filed cross-motions for summary judgment. Id

The United States District Court for the Eastern District of Virginia granted summary judgment to Portal, holding that Travelers’ duty to defend was triggered. Id. at 769. The district court applied Virginia’s “eight corners” rule, under which courts examine “(1) the policy language to ascertain the terms of the coverage and (2) the underlying complaint to determine whether any claims alleged therein are covered by the policy.” Id. at 769 (citations omitted). The district court held that there had been an “electronic publication of material” because “exposing material to the online search of a patient’s name does constitute a ‘publication’ of electronic material.” Id. at 770. The district court rejected Travelers’ arguments that an unintentional exposure could not be a publication, reasoning that “the definition of ‘publication’ does not hinge on the would-be publisher’s intent.” Id. The district court also rejected Travelers’ argument that there was no “publication” when no third party viewed the information, reasoning that “[p]ublication occurs when information is ‘placed before the public,’ not when a member of the public reads the information.” Id. at 771.

The district court also determined that posting confidential medical records online without a security restriction gave “unreasonable publicity” to, and “disclosure” about, patients’ private lives. Id. at 771. As the district court stated, “[t]here can be no question that posting medical records online without security restriction exposes the records to the general view and thus, gives the records ‘publicity’ since, quite literally, any member of the public can view, download, or copy those records,” even where no member of the public actually viewed the records. Id. at 772.

The Fourth Circuit adopted the reasoning of the district court, explaining that the district court applied the correct rule of interpretation and appropriately concluded that “the class-action complaint ‘at least potentially or arguably’ alleges a ‘publication’ of private medical information by Portal that constitutes conduct covered under the Policies.” 2016 WL 1399517, at *2. The court reasoned that “Travelers’s efforts to parse alternative dictionary definitions do not absolve it of the duty to defend Portal.” Id.

In an amicus brief submitted to the Fourth Circuit, the American Insurance Association and Complex Insurance Claims Litigation Association argued that CGL policies are not designed to cover claims for failure to oversee the security of a computerized record-keeping system. The associations argued that “[g]iven the staggering growth of cyber liabilities, a strong market has developed for specialty cyber insurance coverage that applies specifically to claims stemming from failures to safeguard computerized records.” Br. of Amici Curiae Am. Ins. Ass’n and Complex Ins. Claims Lit. Ass’n in Support of Plaintiff-Appellant and Reversal, Travelers Indem. Co. of Am. v. Portal Healthcare Sols., L.L.C. (4th Cir.), Case No. 14-1944, 2015 WL 6110283, at *7 (Sept. 29, 2015). Significantly, and despite this concerted effort by the AIA, the Fourth Circuit rejected these arguments.

As stated above, the insurance industry had already reacted to attempts to rely upon CGL coverage for cybersecurity-related claims through several actions by ISO to, among other things, create a new endorsement for CGL policies, which would allow insurance companies to delete the “publication, in any manner” definition of personal and advertising injury (April 2013), and in May 2014, to add an exclusion designed to eliminate coverage for breach of privacy liability “arising out of any access to or disclosure of any person’s or organization’s confidential or personal information.” (CGL CG 21 06 05 14.) The very need for these newer exclusions in CGL policies should reinforce that such policies can, and, indeed, do provide coverage for cybersecurity incidents.

The bottom line is that policyholders seeking coverage for cybersecurity incidents should not overlook the importance of traditional CGL policies as a potential source of coverage. At the same time, however, policyholders should strongly consider the propriety of specialized cyber insurance policies because such policies may afford more specialized relief for both first and third party losses once a data breach or security event has taken place.