Do You Need Cyber Insurance or Will Your CGL Policy Be Enough?

Womble Bond Dickinson

In Travelers Indemnity Co. of America v. Portal Healthcare Solutions, LLC, the Fourth Circuit Court of Appeals reverses the recent trend of insurance companies avoiding any liability for data breaches under commercial general liability (CGL) insurance policies.

On April 11, 2016, the Fourth Circuit affirmed a lower court ruling, holding that an insurance company has a duty to defend a policyholder under the terms of the CGL policy against allegations that the policyholder posted confidential medical information on the Internet.

Two years ago, two individuals filed a class-action complaint alleging that Portal Healthcare Solutions engaged in conduct that resulted in their private medical records being available on the Internet to anyone who “Google” searched for the patient’s name and clicked on the first result. At the time, Portal was insured under two substantially similar CGL policies with Travelers Indemnity Co.

The CGL policies contained language obligating Travelers to pay sums Portal becomes legally obligated to pay as damages because of an injury arising from (1) the “electronic publication of material that … gives unreasonable publicity to a person’s private life” or (2) the “electronic publication of material that … discloses information about a person’s private life.” Travelers sought a declaration that Travelers was not obliged to defend Portal under the CGL policies, but lost on summary judgment and most recently on appeal to the Fourth Circuit.

The Fourth Circuit, in an unpublished opinion, agreed with the reasoning of the District Court for the Eastern District of Virginia. The lower court determined that making confidential medical records publicly accessible through an Internet search placed those records before the public, and thus constituted “publication” of electronic material, satisfying the first prerequisite of the CGL policies. Further, the lower court held that posting the confidential medical records online without security restriction gave “unreasonable publicity” to and “disclose[d] information” about a person’s private life, satisfying the CGL policies’ second prerequisite to coverage.

While the decision is favorable to policyholders, companies should not rely on this decision or, in many cases, on their CGL policies to provide coverage in the event of a data breach. As the Fourth Circuit pointed out, although ambiguities in insurance policies are generally construed in favor of the insured, insurers may exclude certain types of coverage under CGL policies. Many CGL policies contain express language excluding losses related to data breaches.

All companies should review their current CGL policy to determine whether it provides coverage in the event of a data breach, or consider obtaining separate cyber insurance coverage.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Womble Bond Dickinson | Attorney Advertising

Written by:

Womble Bond Dickinson

Womble Bond Dickinson on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.