A decision handed down by the Fourth Circuit Court of Appeals this week highlights that traditional insurance policies still provide valuable insurance coverage for data breaches and other cyber-related losses.
While CGL policies in particular increasingly add exclusions seeking to exclude cyber claims, companies faced with fallout from a data breach or other cyber loss should still scrutinize their existing non-cyber policies because:
- there may be no such exclusion; their inclusion is not universal;
- there are a variety of exclusions that are not uniform in terms of their exclusionary effect; and
- policies issued on an occurrence basis in prior policy years may still offer valuable coverage.
That last eventuality proved to be the case in Portal Healthcare v. Travelers Indemnity Company, Case No. 14-1944, which concerned coverage for a class action complaint filed in 2013.
The decision is noteworthy not only for finding coverage to defend cyber litigation after an unauthorized medical data disclosure, but also for the court's determination of what constitutes "publication" of data in an alleged breach of privacy. The Court affirmed the trial court decision that publication occurs upon disclosure of the medical data, does not need to be intended, and does not require proof of actual third-party review of the medical data disclosed.
This case is an important reminder that non-cyber specific insurance policies may provide vital insurance protection for cyber related claims. We have secured insurance coverage for numerous policyholders for cyber related claims under a variety of "standard" insurance policies including crime insurance, CGL policies, business package policies, property insurance (including time element provisions), E&O insurance, and D&O insurance.