The Great Cyber Coverage Debate
And so it happened... in March of 2016, the 4th Circuit Court of Appeals Court in Virginia affirmed summary judgment against an insurer who tried to deny coverage for an apparent data breach, thus starting the great cyber coverage debate. Travelers v. Portal Heathcare, Case No. 14-1944. Portal Healthcare is a medical records storage company that services medical care providers such as hospitals. Two patients discovered their medical records were posted on line by Googling their names. The patients initiated a class action suit against Portal, who in turn sought coverage from Travelers under two insurance policies. The Traveler's policies covered Portal for damages, "because of injury arising from (1) the electronic publication of material that ... gives unreasonable publicity to a person's private life or (2) the electronic publication of material that ... discloses information about a person's private life."
The court determined the online posting of medical records, even though unintended, was a "publication" that triggered coverage from Travelers. Interestingly, although the Traveler's policies covered Portal for electronic "publication," the policies did not define what it means to "publish". Travelers argued the data breach did not constitute a publication, because Portal never intended to make the records available to the public. The court rejected this argument, noting the plain definition of the term "publish," found in a commonly used dictionary, included the scenario of allowing medical records to be inadvertently posted online.
Although the 4th Circuit's decision may be narrowly tailored to the language in Traveler's policy, it shows that coverage for cyber breaches will undoubtedly be a subject of legal study and debate in the age of cyber security and data breaches. Most insurance industry experts believe regular CGL policies do not cover data breaches, because a data breach is not a loss of tangible property. Businesses concerned about an expensive breach may choose to purchase special cyber insurance policies. But, all businesses should assess cyber risks and review internal policies and insurance policies to know critical areas of vulnerability before a breach occurs.