A federal court decision earlier this month has cast doubt on how to best insure commercial clients against cyber risk.
In an unpublished opinion, a panel of the Fourth Circuit ruled April 11 that
Travelers Cos. must defend medical records company Portal Healthcare against a claim that its failure to properly secure servers led to a data breach in which hackers were given access to private records.
Travelers must settle the claim under the commercial general liability policy it extended to Portal Healthcare, the three-judge panel said.
The ruling echoed the verdict of a Virginia district court in August 2014.
The case marks a departure from traditional understanding of cyber risk, which holds that cyber-specific policies are needed to cover data breach, rather than CGL policies. Now, some are saying small businesses that may not be able to afford cyber liability insurance do in fact have some coverage after all.
This could be big news. Although a recent Advisen survey suggests 64% of businesses now have cyber-specific coverage, a number of smaller breaches often fall below policy deductibles, leaving companies on the hook for the bill.
Others in the industry, however, say the supposed victory is not so clear cut. The Portal decision is likely only to apply to companies holding older CGL policies, because newer ones often contain specific exclusions related to data breaches.
“What you see now in most standard liability insurance policies like CGLs is that insurance companies are excluding coverage for liability that arises from a data breach,” attorney Alex Purvis of Bradley Arant Boult Cummings said. “What’s unique about the Portal decision is that the policy did not have that type of exclusion. It may be one of the few remaining policies without that exclusion.”
Furthermore, the court’s decision was more nuanced than a simple finding of data breach coverage through CGL policies.
Collin Hite, an insurance recovery attorney with Hirschler Fleischer, told TechNewsWorld the court only ruled on whether Travelers had to pay Portal’s legal costs for defense in the case.
“The court is not saying that Travelers has to pay the verdict or not [if Portal lost]. All it’s saying is Travelers must pay for the insured’s defense counsel and to defend the case,” Hite said. “A lot of times, though, the defense of the case in the most expensive component of the lawsuit because the plaintiffs may not be able to prove any damages.”
While Purvis urged companies agents not to “forget some of your standard liability policies” in the wake of a data breach, it appears cyber insurance is still the best option for risk management.
