A Monday court decision added a significant victory for insurance policyholders to an issue with very little existing case law.
In an unpublished opinion, a panel of the Fourth Circuit ruled that
Travelers Co. must defend medical records company Portal Healthcare against a claim that its failure to properly secure servers lead to a data breach in which unauthorized users were given access to private records.
Travelers must settle the claim under the commercial general liability policy it extended to Portal Healthcare, the panel said.
The ruling echoed the verdict of a Virginia district court, which held in August 2014 that CGL policies provide coverage for a data breach.
The case in question involved patient records from Portal Healthcare being published on the Internet and made searchable by different search engines. Portal sought coverage under two policies which would require “Travelers to pay sums Portal becomes legally obligated to pay as damages because of injury arising from the ‘electronic publication of material that…gives unreasonable publicity to a person’s private life’ or the publication of material that ‘discloses information about a persona’s private life.’”
Travelers and Portal disputed whether there was such injury, and what constituted “publication.”
Insurance companies have largely exempted coverage for data security breaches under new CGL policies, preferring to address those risks through specific cyber liability policies. However, the question of whether coverage exists for cyber incidents under older policies without such exclusions is still being decided in the courts.
The insurance industry followed the issue closely, with two industry groups filing amicus briefs supporting Travelers’ appeal.
The American Insurance Association and the Complex Insurance Claims Litigation Association said that coverage for cyber claims “can’t be shoehorned” into standard CGL policy terms and said a “separate, robust” market exists for problems like those faced by Portal.
By affirming the district court’s decision, the trade groups wared the Fourth Circuit would “undermine the certainty and predictability” intrinsic to the functioning of insurance markets.
Attorneys defending Portal, however, argued that the existence of a cyber insurance market is irrelevant because the district court found room for coverage in the language of the Travelers policy.
“If a [general liability] insurer wants to push this type of risk into the cyber insurance realm, it needs to be clearer,” said attorney Tyler Gerking.
Portal held two policies with Travelers covering electronic publication of certain materials from January 2012 to January 2014, court documents show.
