In case you missed it, the courts have ruled. Specifically, the 4th Circuit U.S. Court of Appeals delivered a ruling in Travelers vs. Portal Healthcare Solutions.
In this blog we will address what the potential implications are for your company.
Here’s the basics of the case:
- At issue was whether Travelers’ Commercial General Liability (CGL) policy should cover data breach defense costs following an inadvertent disclosure of private healthcare information of patients at a New York hospital.
- Travelers’ insured – Portal Healthcare Solutions – was hired to secure the sensitive data files. Two patients of Portal Healthcare found their medical information through a Google search then filed a class action suit against the hospital for allegedly having inadvertently made hospital records available and unprotected on the Internet. Portal then sought coverage against its insurer, Travelers.
- The Travelers 2012 and 2013 CGL policies included Coverage Part B Personal and Advertising Injury, which addressed damages related to advertising or website injury occurring from “the electronic publication of material that gives unreasonable publicity to a person’s private life’ or discloses information about a person’s private life.”
Travelers argued that there was no definitive personal injury or publication because the records release was unintentional and nothing was viewed by a third party. The court disagreed, finding that publication, even if unintentional, is still publication. In addition, the judgement declared that the definition of publication is not contingent on third party access (similar to a book sitting on a library shelf—it’s published even if no one ever reads it). The court said coverage was required because the Travelers policy did not include explicit exclusion for this type of “injury.”
The ruling might lead companies to believe that a cyber policy is no longer required because there is adequate protection from an existing CGL policy. Insurance companies may believe adding a new exclusion provides definitive clarification and protection from similar suits.
Not so fast.
Here’s what we believe is the continuing reality for cyber-related insurance and risk transfer strategies:
- Cases like this are likely to continue as insureds who have not bought a cyber policy seek to leverage whatever policies they do have to find coverage. Everyone will look for wiggle room in their CGL policies, and additional policies.
- It’s not only CGL policies that are being challenged following data breach incidents. For insureds without a stand-alone cyber policy, however unlikely, coverage may be addressed and potentially leveraged in some way, shape, or form in property, crime, errors & omissions and directors & officers policies.
Ultimately, here’s why we continue to recommend every company carry a specific, stand-alone, robust 1st and 3rd party cyber liability policy:
- The CGL policy in this case only included defense costs – there were no additional expense costs paid (PR, Notification, Credit Monitoring, Computer Forensics, etc). These additional first party costs are often more considerable than defense costs, and can and should be covered by a cyber policy.
- Some cyber policies only cover first party costs that arise from a third party claim, including investigation, notification, and credit monitoring. A strong cyber policy should respond under a “Duty to Defend” basis, meaning as soon as a potential claim is even suspected (such as when a laptop goes missing) defense and investigation costs are covered even without a suit being filed.
- When companies refuse to buy a separate cyber liability policy, it provides attorneys seeking coverage somewhere the perfect opportunity to leverage the kind of nebulous/less specific language contained in more general, broader policies like general liability and errors & omissions. These cases can drag on while companies are still on the hook for the various 1st party costs a cyber policy would have provided.
- Ultimately, no organization should rely solely on the courts to weigh in their favor following a data breach. A proactive cyber risk management strategy should include not only a strong cyber insurance policy, but also strong cybersecurity protections and a well-vetted breach response plan .
Cyber liability is too important an issue to leave to chance. To make sure you’re adequately covered, simply contact your partner at MJ. If you’re uncertain who to talk to or you have any questions, please feel free to email me directly at firstname.lastname@example.org. If you’d like to learn more about this specific Travelers case, you may want to read this helpful Insurance Journal article.