Data breach insurance is becoming a growing concern and a topic for businesses to address their risk management administrative panoply. Considerations may sway a business towards a third-party insurance coverage or a first-party insurance coverage or both depending on the services provided. Previously posted writing regarding the cyber insurance needs, we discussed the limits that the industry faces with their coverages and how businesses are not covered for cyber events. Earlier this year the Fourth Circuit rendered a decision that sets a tone for insurers to keep a watch on regarding the commercial general liability insurance (CGLI) required the scope of coverage for data breaches. That scope is the duty for the insurer to defend the insured business entity for a data breach event.
Initially, it is worth to note that cyber insurance or data breach incident insurance was created to address what general liability insurance did not intend to cover at first. As these policies metamorphosed with the growth of cyber incident considerations, limitations are placed to account for the many different facets integral to a potential cyber incident, data breach, or sheer cyber negligence event. The actual scope of coverage within a company’s CGLI is critical and is what was been battered about by the Fourth Circuit in Travelers Indemnity v. Portal Healthcare Solutions, LLC. The scope of coverage in question was whether data breaches were included in the coverage, and if so, to what extent and for what aspect.
Portal Healthcare Solutions, LLC, (Portal) is a company that provides electronic storage management of patient medical data. Its clients are medical service providers including hospitals, who after discovering that medical records were available on the web without password protection, filed a class action suit in the district court in Virginia. Portal’s CGLI policy was under Traveler’s coverage policies. Portal sued Travelers when it refused to cover Portal. Portal argued that Traveler’s policy covered the cyber incident in question. The District Court ruled for Portal depicting that Traveler’s coverage obligated it to defend Portal for the data breach incident. Portal was seeking for Travelers to pay the amount that Portal was liable as a result of the data breach.
Companies considering CGLI will quickly recognize that the insurance vehicle enumerates conditions for liability coverage that include personal and advertising injury. This addresses the duty of the insurer to pay and defend the insured for its liability and damages incurred as a result of violating privacy rights of customers and the like because of a publication of private information. The contentious issue that insured companies and insurers wrestle when there is a data breach or cyber incident is to determine if there has occurred a publication of private information.
The facet of ‘publication’ was at issue as to whether it took place as understood. What was clear from the facts is that the medical records were available on the Internet without password protection. It was claimed that their availability was tantamount to a publication. Portal argued that its policies with Travelers obligated Travelers to cover if Portal was liable for an incident where an injury occurred due to electronic publication of information or that causes publicity of a person’s private life. By virtue that patients’ information was available by searching the Internet, the court deemed that it sufficed as a publication. The court did not believe that there had to be intent to publish in order for it to constitute a publication. According to the court, the simple fact of medical record exposure in the realm of the Internet is substantial for publication. The court found that because a publication had occurred by Portal exposing confidential medical records, Travelers became obligated to defend Portal under the policies.
It is noteworthy to consider the precedent of the Recall Total Info case where some transported records that were in containers fell off the vehicle on the highway, in light of the Portal case. The court in Portal distinguished Recall from its instant case by virtue that the data in Portal was available on the Internet and was easily accessible whereas, in Recall, the data records in containers falling off a transport vehicle could not be construed as accessible and disclosed. The court in Portal noted that the Connecticut Supreme Court in Recall held that absent information that demonstrates that the confidential data and records were accessed, the incident of private data in containers falling off a transport vehicle on the highway cannot be construed as a publication of private information creating a publicity. The Court found that to be distinguishable from Portal’s case regarding the public disclosure of confidential records on the Internet.
Furthermore, the element of publicity is not the only limitation of CGLI policies. The tenor of the knowledge or of the acts of the insured is also imperative to the viability of the insurer’s duty to cover. For instance, in the Sony Corp. case, the court in New York ruled that the insurer did not have a duty to defend and pay for Sony because of the actions of a hacker and not the acts of Sony. The hacking was not considered to meet the occurrence of there being a publication or advertising of private information. Another limitation is when the insured acts with intention and knowingly causing the breach of private information. A Utah District court in the Federal Recovery Services case, held that the insurer was not liable to cover the insured where the insured acted knowingly, willfully and intentionally.
In essence, the policy condition of ‘publication’ was expanded by the Fourth Circuit and it also delineated limitations to the insurer’s duty to pay and defend. The court noted the importance to consider insured’s actions pertaining to its intention, deliberateness, and awareness with the regard of the data breach incident. It also noted the importance to distinguish the existence of the acts of third-parties regarding a data breach incident – an intervening factor – compared to where the insured’s actions resulted in a publication. The absence of the insured’s intention to have private personal information placed on the Internet for anyone to see does not deny that a publication has occurred. Overall, the realm of coverage by CGLI policies will now have a broader appeal to consider amid the limitations for insurers’ duty to cover data breaches.
35 F. Supp. 3d 765, 768 (E.D. Va. 2014).
 Id. at 769.
 147 Conn. App. 450, 83 A.3d 664 (Ct. App. Conn. 2013) (aff’d Recall Total Information Mgmt., Inc. v. Federal Ins. Co., SC19201 (Conn. May 18, 2015)).
 Zurich Am. Ins. v. Sony Corp. of Am., No. 651982/2011 (NY Sup. Ct. Feb. 21, 2014).
 Travelers Property Casualty Co. v. Federal Recovery Servs., Inc., (D. Utah May 11, 2015).