[BreachExchange] Insurance Coverage For Data Breaches May Be Found In Policies Other Than Those Specifically Called “Cyber”

Audrey McNeil audrey at riskbasedsecurity.com
Tue Apr 19 22:02:49 EDT 2016


http://www.lexology.com/library/detail.aspx?g=3c8f80cf-4f94-477e-976f-3fa837229634

On Monday, April 11, 2016, the Fourth Circuit upheld the decision of a
Federal Court in Virginia requiring an insurer to defend its insured in a
class action relating to its failure to maintain the security of certain
patient medical records. Surprisingly, the insurance policies at issue were
traditional General Liability policies (not cyber policies) and there was
no third party breach of the insured’s data or network.

Portal, the insured, provided online storage of medical records to its
hospital clients and allegedly exposed certain patient medical records to
unsecured online searching. This was revealed when a couple of patients
stumbled upon their medical records while Googling themselves. These
patients brought a class action against Portal, but its insurer, Travelers,
denied coverage and refused to defend Portal in the class action. The
Travelers CGL policies provided coverage for, among other things,
“electronic publication of material that …discloses information about [or
gives unreasonable publicity to] a person’s private life."

While the policy didn't define “publication,” the Court determined that
making confidential records publicly accessible via Internet searches falls
within the plain meaning of “publication.” Further, the Court held that
those records were “disclosed” the minute they were posted publicly online,
regardless of whether a third party actually viewed them.

Critics will note that this decision is inconsistent with other recent
decisions that have found no coverage for data breaches under traditional
CGLs. That said, each case ultimately turns on its own particular facts.
The policies in this case were CGLs from 2012 and 2013. With the
proliferation of cyber exclusions being incorporated into newer CGL
policies, it’s certainly becoming more challenging to argue coverage for
data breaches in CGL policies. But, as this case shows, it’s important to
carefully evaluate every policy in the event of an occurrence. While the
policies are constantly changing, so is the legal landscape addressing
coverage for data incidents.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160419/485f55cd/attachment-0001.html>


More information about the BreachExchange mailing list