Cyber insurance coverage is a new phenomenon and seldom do courts deal with such. But as the events occur with frequency, cyber incidents are indeed getting attention. They are getting the attention of insurance carriers as well. Two cases stand out that have set a precedent. Travelers Indem. Co. of Am. v. Portal Healthcare Sols., No. 14-1944 (4th Cir. Apr. 11, 2016) is one case that stands out due to its treatment of coverage of cyber incidents under commercial general liability policies. The other case is Recall Total Info. Mgmt. Inc. v. Fed. Ins. Co., 147 Conn. App. 450, 83 A.3d 664 (Ct. App. Conn. 2013), that also stands out due to its treatment of the issue of actual access to the data, as considered in a cyber incident case.
The court in Travelers dealt with the issue that the functioning of electronic safekeeping of medical records which was a function of Portal Healthcare Solutions. The incident that gave rise to the case was that confidential medical records were posted on the Internet without password protection. A class action suit was filed to address this. The issue was if Travelers had a duty to insure Portal for the incident, i.e., duty to defend Portal. Based on the complaint and the policy, the 4th Circuit affirmed the lower District Court and held that “exposing confidential medical records to online searching is ‘publication’ giving ‘unreasonable publicity’ to, or ‘disclosing’ information about, a person’s private life.”
A distinction was drawn by the 4th circuit by comparing the non-publication that occurred in Recall Total. In Recall Total, the transport of stored data tapes fell off the vehicle transporting the data. Recall was responsible for such transport. The court in Recall Total, noted that no publication took place. The court also noted that there was a need to assess if in fact there was actual access to the data. Without such actual access via the Internet, per se, then there would not be a publication of such data to the general public.
The court in Travelers, determined by distinguishing Recall Total, in that by there not being a dissemination of data or publication of data, just by sheer loss of the records, there could not be the necessary publication. The Travelers court noted that the posting of the data on the Internet made it available for any and all to see, as compared to lost containers of data where access would be deemed not as prominent Recall Total. The court in the Travelers case determined that Travelers’s duty to defend was based on that the coverage covered the allegations. Therefore, Travelers had a duty to defend Portal.
The take away from this, regarding cyber incidents, is that cyber policies are sought to address data breaches in some form or fashion, noting that there are limitations. One notable limitation is the event of proven intent. The element of intent is a death knell. Where it is proven that the act that led to a cyber incident was intentional, knowingly, and willful, coverage will not hold. Intentional acts are not covered in general liability commercial policies, and the same goes for provisions that address defamation/libel and cyber incidents. The other take away is the occurrence of publication or actual access possibly occurring. The sheer loss of the data is not enopugh to trigger coverage. The last take away is that with all coverages, there are policy limits. Any settlement will abide by the limits set by the policy under the insurer’s contract with the insured. In addition to that limitation, data breaches and cyber incidents are difficult to assess damages and set awards. Baselines are not standard for assessing damages. With all occurrences of cyber matters, there is no doubt that more coverages will address cyber incidents and insurance companies will attempt to carve out exceptions to their coverage in addition to noted intentional acts.