A recent federal court of appeals decision, The Travelers Indemnity Company of America v. Portal Healthcare Solutions, LLC, No. 14-1944 (4th Cir. Apr. 11, 2016), found data breach coverage under a commercial general liability policy (CGL policy). However, this decision should not have a large impact on the future of cyber insurance litigation or the cyber insurance marketplace.
Portal Healthcare Solutions (Portal), a business specializing in the electronic safekeeping of medical records, contracted with a hospital to electronically store and safeguard the confidential medical records of that hospital’s patients. Following a data breach, a class-action suit was filed in New York state court alleging that Portal failed to safeguard those medical records by posting those records on the internet and causing those records to become publicly accessible. During the time of the relevant data breach, Portal was covered by two substantially identical CGL policies that obligated its insurer, Travelers Indemnity Company of America (Travelers), to pay sums Portal became legally obligated to pay as damages because of injury arising from (1) the electronic publication of material that … gives unreasonable publicity to a person’s private life, or the (2) electronic publication of material that … discloses information about a person’s private life. Travelers filed a Motion for Summary Judgment seeking a declaration that it was not obligated to defend Portal against the claims in the class-action complaint. Travelers argued that there was no duty to defend because the class-action complaint failed to allege a covered publication by Portal. The district court disagreed, and ruled that Travelers was bound under the policies to defend Portal. Specifically, the court held that the definition of “publication” does not hinge on the intent of the publisher, or whether a third party has accessed or viewed the published information. On appeal, the 4th Circuit Appellate Court agreed and upheld the district court’s ruling.
This decision is a positive development for insureds seeking data breach coverage under CGL policies, but it is doubtful that this decision is indicative of a future trend. The current trend in the industry has been to move cyber risk away from CGL policies and towards cyber-specific policies. As part of that movement, many CGL policies have specifically defined the term “publication” to prevent coverage for cyber-related claims, or have included specific exclusions addressing publications in data breach or cyber contexts. The insurance policies at issue in this case failed to define “publication”, which forced the Court to apply the plain meaning of the term to the policy. Additionally, even if an insured’s CGL policy is found to cover a cyber incident, it will likely not be as effective as a cyber-specific policy at covering the insured’s loss because it will not cover the costs of investigation, notification and public relations that are associated with a cyber incident. This decision will be beneficial to CGL policyholders in a limited set of circumstances, but it is not likely that it will have a major impact on cyber insurance litigation or the cyber insurance marketplace going forward.