[BreachExchange] Data breach covered under commercial general liability policy, court rules

[Audrey McNeil]

http://www.ibamag.com/news/data-breach-covered-under-commercial-general-liability-policy-court-rules-30373.aspx

A Monday court decision added a significant victory for insurance
policyholders to an issue with very little existing case law.

In an unpublished opinion, a panel of the Fourth Circuit ruled that
Travelers Co. must defend medical records company Portal Healthcare against
a claim that its failure to properly secure servers lead to a data breach
in which unauthorized users were given access to private records.

Travelers must settle the claim under the commercial general liability
policy it extended to Portal Healthcare, the panel said.

The ruling echoed the verdict of a Virginia district court, which held in
August 2014 that CGL policies provide coverage for a data breach.

The case in question involved patient records from Portal Healthcare being
published on the Internet and made searchable by different search engines.
Portal sought coverage under two policies which would require “Travelers to
pay sums Portal becomes legally obligated to pay as damages because of
injury arising from the ‘electronic publication of material that…gives
unreasonable publicity to a person’s private life’ or the publication of
material that ‘discloses information about a persona’s private life.’”

Travelers and Portal disputed whether there was such injury, and what
constituted “publication.”
Insurance companies have largely exempted coverage for data security
breaches under new CGL policies, preferring to address those risks through
specific cyber liability policies. However, the question of whether
coverage exists for cyber incidents under older policies without such
exclusions is still being decided in the courts.

The insurance industry followed the issue closely, with two industry groups
filing amicus briefs supporting Travelers’ appeal.

The American Insurance Association and the Complex Insurance Claims
Litigation Association said that coverage for cyber claims “can’t be
shoehorned” into standard CGL policy terms and said a “separate, robust”
market exists for problems like those faced by Portal.

By affirming the district court’s decision, the trade groups wared the
Fourth Circuit would “undermine the certainty and predictability” intrinsic
to the functioning of insurance markets.

Attorneys defending Portal, however, argued that the existence of a cyber
insurance market is irrelevant because the district court found room for
coverage in the language of the Travelers policy.

“If a [general liability] insurer wants to push this type of risk into the
cyber insurance realm, it needs to be clearer,” said attorney Tyler Gerking.

Portal held two policies with Travelers covering electronic publication of
certain materials from January 2012 to January 2014, court documents show.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160414/db8b9ad3/attachment-0001.html>