Cases with intersecting issues of data breach and insurance coverage continue to slowly wind their way through the court system. After a number of past losses dealt to insureds who sought insurance coverage under their garden-variety business policies, two recent decisions from the Fourth and Eighth Circuit Courts of Appeal may rekindle the interest of business insureds in seeking such coverage both in the first- and third-party contexts.
First, the Fourth Circuit Court of Appeals in April, 2016 upheld a lower court’s finding that Travelers had a duty to defend a class action lawsuit alleging a data breach brought against Portal Health Care Solutions, LLC ("Portal"). The lawsuit alleged that plaintiffs’ private medical records had been made publicly available on the internet for more than four months. Travelers then sued Portal for a declaratory judgment that it was not obligated under certain Commercial General Liability ("CGL") policies to defend Portal, asserting that the class action complaint failed to allege a covered "publication" as required under the CGL’s Coverage Part B - Personal and Advertising Injury.
The lower court had determined that under Virginia’s eight-corner rule requiring consideration only of the allegations of the Complaint and the content of the policy, the Complaint alleged grounds for liability which were potentially or arguably covered by the policy. Travelers Indemnity Company of America v. Portal Health Care Solutions, LLC, 35 F.Supp.2d 765 (E.D.Va. 2014). The CGL policies at issue required for coverage a) an electronic “publication” of material, and b) that the material give “unreasonable publicity” to or “disclose” information about one's private life. The lower court found that exposing material online which was reachable by searching the patient’s name constituted a “publication,” even without proof that the material was actually viewed.
On appeal, the Fourth Circuit deferred largely to the reasoning of the lower court, reminding that the duty to defend the insured is broader than the duty to indemnify and leaving the question of indemnification for another day.
More recently, on May 20, 2016, the Eighth Circuit Court of Appeals found coverage for a bank victimized by an unauthorized wire transfer by hackers in State Bank of Bellingham v. BancInsure, Inc. State Bank of Bellingham ("the Bank") sought coverage for the criminal $485,000 transfer from the Bank to a foreign bank account. This unauthorized transfer occurred when a bank employee, using her token, password, and passphrase as well as those of another bank employee, executed an authorized wire transfer but left the tokens in the running computer at the end of the day. The next day, the employee saw that two unauthorized transfers had occurred, one of which was reversed. The Bank filed a claim under its financial institution bond, and an investigation found that a virus infected the computer and allowed the access needed to complete the fraudulent transfers.
The Bank sued under the bond, which is treated as an insurance policy under state law. The lower court determined that the computer systems fraud was the efficient and proximate cause of the loss, not the bank employees' violations of policies and practices, misuse of confidential passwords, or failure to update antivirus software. That these other matters may have "played an essential role" in the loss did not make the unauthorized transfer "certain" or "inevitable."
The upshot of these two decisions, which are among the first recent data breach contests over insurance coverage to reach the Courts of Appeal, is that coverage afforded by even traditional insurance and bond products -- not specialized cyberliability policies generating so much interest recently -- may be reached for both first-party and third-party coverage in certain instances, and a finding of no coverage is no longer assured.