Fourth Circuit Requires CGL Insurer to Defend Data Breach Class Action

The increasing market for cyber insurance policies combined with the addition of cyber exclusions has cooled litigation over whether a cyber breach triggers coverage under a commercial general liability (CGL) policy and whether a CGL insurer owes a duty to defend litigation arising from a cyber breach. However, the expansion of cyber insurance and integration of cyber exclusions has not the stemmed litigation under older CGL policies, many of which do not include cyber exclusions. Earlier today, the Fourth Circuit Court of Appeals addressed cyber coverage under a traditional CGL policy in Portal Healthcare v. Travelers Indemnity Company, Case No. 14-1944.

Portal arose after plaintiffs filed a putative class action, alleging that Portal negligently failed to secure a server containing confidential records for patients at a hospital, thereby making the records available for anyone to view online without a password. The insured argued that Travelers owed a duty to defend that class action because the medical records company published, and therefore disclosed, confidential information, triggering the personal and advertising injury coverage provision in the CGL policy. Travelers disagreed, arguing that the failure to secure a server is not a publication. Publication, Travelers argued, requires the deliberate step of disseminating the records – which was not alleged.

The Fourth Circuit accepted the insured’s argument, with little explanation or analysis. Commending the district court for limiting its analysis to the complaint and policy, the court concluded that “the class-action complaint ‘at least potentially or arguably’ alleges a ‘publication’ of private medical information by Portal that constitutes conduct covered under the Policies.” The court did not explain why a failure to secure a private server satisfies the plain meaning of the word publication, but instead accepted the conclusion that the possibility of pubic access constitutes publication: “Such conduct, if proven, would have given ‘unreasonable publicity to, and disclose[d] information about, patients’ private lives,’ because any member of the public with an internet connection could have viewed the plaintiffs’ private medical records during the time the records were available online.”

Portal should have limited impact on modern CGL policies because the cyber exclusions therein resolve the question of whether there is a duty to defend cyber breach litigation. However, within the Fourth Circuit, Portal suggests that a CGL insurer should carefully review cyber-related claims. Portal should be limited to the unique facts underlying the claim (in that records were made publicly available), but the Court’s failure to provide a definition of publication leaves the scope of this decision open to discussion.

Sony’s Interview Quagmire: A Watershed Moment for Cyberinsurance

Gordon & Rees Partner, Matthew Foy, recently co-authored an article published in the Spring 2015 edition of DRI’s In-House Defense Quarterly, entitled “Sony’s Interview Quagmire: A Watershed Moment for Cyberinsurance.” The article addresses the implications of the November 2014 Sony data breach and discusses why companies of all sizes should be giving a hard look at the cyberinsurance market and not simply relying on their CGL policies.

To read the full article, click here.

No Coverage for Data Breach Under Personal Injury Provision in General Liability Policy

In Recall Total Information Management, Inc. v. Federal Ins. Co., 147 Conn. App. 450 (2014), Connecticut’s Appellate Court held there is no coverage for a data breach under a general liability policy’s “personal injury” coverage in the absence of evidence that the files were accessed by third parties.  

Recall, a records storage company, contracted to store tapes containing electronic personal information, including names and Social Security numbers, of 500,000 past and current IBM employees.  Recall subcontracted with a transport company to ship the tapes by truck, and was named as an additional insured on the transport company’s primary and umbrella general liability policies.  While the tapes were in transit, they fell off the transport company’s truck and were taken by an unknown person.  The tapes were never recovered.

IBM incurred over $6 million in mitigation costs as a result of the data breach, including notification to affected persons and providing credit monitoring services. IBM demanded Recall reimburse these costs.  Recall notified its insurers, but they denied coverage and declined to participate in settlement negotiations.  Recall settled with IBM and then obtained assignments from the transport company under its policies.  Recall sued the insurers, but the insurers prevailed on summary judgment.  In January, the Appellate Court upheld the judgment of the trial court.

The Appellate Court first rejected Recall’s contention a defense was owed because the court found no “suit” had been brought.  The Appellate Court next addressed the substantive coverage question.  The policies covered damages for “personal injury,” which was defined to include “injury caused by an offense of electronic, oral, written or other publication of material that violates a person’s right to privacy.”  Recall argued the personal information stored on the tapes had been “published” to the thief or other unknown persons, subjecting Recall to potential claims and liability for the costs of notifying the owners of the lost data and providing them with credit monitoring services.

The Appellate Court found, however, that Recall had failed to cite any evidence the electronically stored information was published and that speculation about a publication was insufficient.  Neither the complaint nor affidavits Recall submitted contained facts suggesting the data had been accessed, which the Appellate Court found was a prerequisite for the “publication” requirement.

The Appellate Court was also unconvinced by Recall’s argument the triggering of data breach notification statutes presupposes an invasion of privacy.  The Appellate Court explained the statutes in question do not address or provide compensation for identity theft; they simply require notice to the owner of the personal information involved in a data breach so that the victims may protect themselves from potential harm.  “Merely triggering a notification statute,” reasoned the court, “is not a substitute for a personal injury.”

Given the prevalence of data breach cases, these insurance issues will continue to be litigated.