On April 11, 2016, a Virginia federal appeals court upheld a lower court ruling that a data security breach is covered by a General Liability (GL) policy. The specific ruling in Travelers Indemnity Company of America (Travelers) v. Portal Healthcare Solutions (Portal) ties back to the accidental publication of private medical records on the internet.
This breach arose in 2013 when two individuals searched their names on Google and found their private medical records from Glen Falls Hospital at the top of the search results. The two individuals subsequently sued the Glen Falls Hospital and Portal Healthcare Solutions, the company hired to secure patient records, for this privacy violation. During the trial, Travelers, who had issued two separate GL policies to Portal during the 4-month period the records were exposed, declined to provide a defense. The court ruling mandates that Travelers defend Portal.
This appears to be a groundbreaking ruling that marginalizes Cyber/Data Breach insurance policies, correct? Not so fast. Before you reconsider Cyber/Data Breach insurance or plan to rely on your GL policy to protect you against data breaches, consider these facts:
- Narrow ruling. The key to this ruling is that the information was “published” – albeit mistakenly – by Portal, which triggered advertising and personal Injury coverage in the GL policy. In most data breach cases, it’s the hacker who publishes information, which wouldn’t be covered by this provision.
- Limited coverage offered. The ruling only requires Travelers to defend Portal in the litigation. Their GL policies do not provide coverage for data breach response costs, business interruption or regulatory coverage offered by today’s Cyber/Data Breach policies.
- Cyber is excluded on most current General Liability policies. Insurers never intended for GL policies to cover data breaches. In May 2014, the insurance industry began adding endorsements to the GL policies specifically stating that the policy does not cover cyber/data breaches. Similar endorsements have been added to other policies (Directors & Officers Liability, etc.) for the same purpose.
- Ruling conflicts with existing case law. This ruling contradicts two other court rulings – IBM v. Federal Insurance and Scottsdale Insurance (Connecticut 2015) and Sony Corp v. Zurich American Insurance (New York 2014) – where the courts found NO coverage for cyber claims in traditional commercial policies. This was the standard belief until the Portal ruling.
With the advent of the digital age, Cyber/Data Breach policies provide a comprehensive solution to this ever-growing area of exposure, covering data breaches, hacks, malware and viruses that are devastating companies today. Beyond covering litigation fees,, these policies include coverage for Data Breach Response costs (forensics, public/crisis communications, notification of affected individuals and credit/ID theft monitoring costs), business interruption, regulatory fines (including Payment Card Industry), penalties and assessments, network asset recreation, extortion demands and more.
For companies seeking proven protection for their cyber, network security and privacy exposures, a Cyber/Data Breach policy absolutely remains the best and most affordable insurance solution.
For additional details and updates on current events, trends and breach prevention suggestions, please visit Marsh & McLennan Agency's Cyber blog by clicking here. Contact us for a complimentary policy review.