[BreachExchange] Cyber ruling opens door to CGL claims

Tue Apr 26 21:53:10 EDT 2016

http://www.businessinsurance.com/article/20160424/NEWS06/160429916/cyber-breach-ruling-opens-door-to-cgl-claims-travelers-indemnity

Policyholders hit by a cyber breach may still find some coverage in their
older commercial general liability policies thanks to an appeals court's
broad interpretation of what constitutes “publication.”

In its unanimous April 11 ruling in Travelers Indemnity Corp. v. Portal
Healthcare Solutions L.L.C., a three-judge panel of the 4th U.S. Circuit
Court of Appeals in Richmond, Virginia, focused on a dispute over Portal's
responsibility for patients' medical records.

The records were accessible online from Nov. 2, 2012, to March 14, 2013,
although no third party allegedly viewed the information. Still, affected
patients sued alleging violation of their privacy rights.

The appeals court held that the information could be considered published
even if it was not viewed, and therefore was covered under the definition
of “published” under Portal's CGL policies (see story, page 28).

To say “a book that is bound and placed on the shelves of Barnes & Noble is
not 'published' until a customer takes the book off the shelf and reads it”
does not “comport with the term's plain meaning,” an Alexandria, Virginia,
federal judge ruled. The appeals court upheld the lower court's decision.

“The court appropriately found that publication does not require that
anyone has actually used the medical information at issue,” said Roberta
Anderson, a partner at K&L Gates L.L.P. in Pittsburgh.

Brian T. Himmel, a partner at Reed Smith L.L.P. in Pittsburgh, said despite
the increasing uses of cyber exclusions in CGL coverage, the ruling is
still relevant.

While CGL policies issued in 2016 may very well have cyber exclusions,
“oftentimes it takes time to discover you're the victim of a cyber attack
or cyber negligence-related conduct,” so a CGL policy issued in 2014 or
2015 may still provide coverage, Mr. Himmel said.

While cyber exclusions and stand-alone cyber coverage may limit this case's
importance, firms should also “not forget about other insurance policies
that might exist in a company's portfolio,” said Alex Purvis, a partner at
Bradley Arant Boult Cummings L.L.P. in Jackson Mississippi. “You just never
know what could be there.”

While the ruling “certainly is not going to revolutionize insurance
coverage for cyber liability,” CGL policies still exist that do not exclude
cyber coverage, said Jeffrey O. Davis, a partner at Quarles & Brady L.L.P.
in Milwaukee. This ruling “certainly could provide helpful precedent for a
policyholder that's faced with a data breach claim.”

The appeals court's ruling provides greater clarity, said Dennis S. Klein,
a partner at Hughes Hubbard & Reed L.L.P. in Miami. “How far-reaching it is
remains to be seen, because it's only applying to the traditional
commercial (general liability) insurance policy.”

Gregory D. Podolak, an attorney at Saxe Doernberger & Vita P.C. in
Trumbull, Connecticut, said the case's key takeaway is that “most companies
should be looking into stand-alone cyber insurance if they haven't gotten
that already.”

However, Linda D. Kornfeld, a partner at Kasowitz Benson Torres & Friedman
L.L.P. in Los Angeles, said the ruling could have a somewhat wider
application.

“The decision is not just favorable in the data breach setting, but it
extends into other privacy-related exposures for policyholders,” such as
those involving the Telephone Consumer Protection Act, Ms. Kornfeld said.

Consumers bringing litigation under the telephone law have alleged
interference with their privacy interests, she said. “The debate in those
cases has been whether the privacy interests at issue there involve any
sort of 'publication' of private information.”

“If one of my clients came tomorrow with a TCPA issue, I would certainly
use (Portal) as support, in addition to other cases around the country, for
the concept that publication should be construed to favor coverage in other
privacy contexts,” Ms. Kornfeld said.

Experts said they were not certain why the appeals court issued an
unpublished ruling, but said it remains significant.

“If I had a case that was evaluating the same issues, I would not hesitate
to cite an unpublished decision that I thought was on point,” Mr. Purvis
said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160426/4c9c8d56/attachment.html>