Hanging Around: Fourth Circuit Confirms the Coverage for Data Breach Can Still Be Found in Traditional Liability Policies

Policyholder Insurance Coverage News

Client Alert

With today’s increased focus on data breaches and related cyber liability exposure, the insurance market continues to develop policies tailored to this unique risk. Insurers are also excluding cyber risks in many traditional liability policies (e.g., the CGL). Policyholders might overlook their traditional coverage portfolio in light of these developments, but the Fourth Circuit Court of Appeals just confirmed that could be a mistake.

On April 11 in Travelers v. Portal Healthcare Solutions, the Fourth Circuit affirmed a Virginia district court finding that Travelers was obligated to defend a proposed class action alleging Portal Healthcare failed to properly secure its medical records, making them open to the public on the internet. The two policies at issue offered coverage for “publication” giving “unreasonable publicity” to information about a person’s private life. Despite the insurer’s argument that allowing health records to be available on the internet was not “publication” as contemplated by the policies, the court applied well-established Virginia law, including basic duty to defend and policy interpretation rules, and held for the policyholder. It affirmed the district court’s holding that exposing medical records to a simple internet search was “publication,” defined by Webster’s Dictionary as “to place before the public (as through a mass medium).”

Here’s the takeaway for businesses: don’t forget other liability policies when facing a data breach. For example, standard CGL policies typically provide coverage for “personal and advertising injury,” which includes “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.” In the absence of an exclusion that removes coverage for cyber or data breach liability, traditional “publication” coverage may be just what you need to respond to potential liability arising from these ever increasing risks. Cyber coverage should still be considered by businesses during pre-breach planning, but the traditional coverage portfolio may still prove valuable.