Data Breaches Covered by CGL?

By Amy Elizabeth Stewart

Insurance policyholders may temper their reactions to the April 11, 2016  decision by the United States Court of Appeals for the Fourth Circuit in Travelers Indemnity Co. of America v. Portal Healthcare Solutions LLC.

In its unpublished opinion, the Fourth Circuit affirmed a lower court ruling that Portal Healthcare’s data breach was covered under the company’s commercial general liability (CGL) policies. While the decision is significant, it’s worth highlighting an important fact: the policies at issue were issued in 2012 and 2013. More recent CGL policies may contain language purporting to exclude data breaches and other cyber events from traditional CGL coverage. An exclusion that surfaced in 2014, for example, precludes coverage for claims arising out of access to or disclosure of confidential or personal information.
   
The coverage dispute between Travelers and Portal derives from an underlying class action filed in 2013 in New York state court. Plaintiffs in the class action claimed that Portal failed to secure a server containing confidential records for patients at a hospital in Glen Falls, New York, and that patient information could be accessed over the internet without a password.

Travelers denied coverage and Portal sued in Virginia federal court. U.S. District Judge Gerald Bruce Lee ruled in 2014 that Travelers “has a duty to defend Portal because the medical records company allegedly published the confidential patient data, triggering the personal and advertising injury coverage provision in the insurer's CGL policy,” according to Law360’s coverage of the Fourth Circuit’s ruling.

For more comprehensive coverage, check out Law360’s story on the ruling (subscription required).