Skip to Main Content

General Liability Covers Data Breaches?…..Not so Fast

Wednesday, April 13, 2016
Mike Richmond

By Mike Richmond, JD

The United States Court of Appeals for the 4th Circuit recently upheld a District Court ruling that a General Liability policy may provide coverage for data breaches.  But, the devil is in the details.  This case emphasizes the need for businesses to obtain standalone cyber coverage.

Travelers Indemnity Company of America v. Portal Healthcare Solutions involved a medical records safekeeping firm, Portal, who suffered a data breach.  The breach led to the publication of the medical records Portal was protecting, which was realized when two individuals Google’d their names.  The first links provided by the search were their medical records.  It was determined that the medical records were available via the internet from November 2, 2012, to March 14, 2013.  This resulted in a class action lawsuit in Federal District Court.

Portal did not have cyber liability coverage in place at the time of the breach.  Instead, they only had a general liability policy through Travelers.  Travelers argued that they had no obligation to defend Portal since their general liability policy did not provide data breach coverage.

However, the District Court found that coverage was provided under the Personal & Advertising Injury section of the general liability policy.  The wording of this section provided that Travelers was obligated to pay damages resulting from “electronic publication of material that….gives unreasonable publicity to a person’s private life.”

In defining these terms, the District Court found that the data breach and online exposure of medical records met the “publication” requirement and that the exposure of the medical records was an “unreasonable” publication of the “private life” (medical records) of those affected.

Two reasons why standalone cyber liability insurance is still necessary:

First, the issue in this case is narrowly focused on the wording of the Travelers general liability policies in place during the breach.  It does not address cyber liability and its global applicability to general liability policies.

Since this time, ISO has developed endorsements that revise the language in general liability policies to specifically exclude data breach events.  (See CG 21 06 05 14, CG 21 07 05 14, and CG 08 05 14).  Also, many insurance carriers have included their exclusions in policies limiting their liability for cyber-related losses.

Second, the 4th Circuit represents Maryland, Virginia, West Virginia, North Carolina and South Carolina.  While this case sets a precedent for federal case law in these states, there is no guarantee other federal courts will find this ruling persuasive, even for the narrow issues that were addressed.

While this case provides an interesting perspective on how general liability courts can view policies, the insurance carriers that provide these policies have already taken measures to prevent similar results.  Therefore, standalone cyber liability coverage remains an essential part of all risk management programs.

Material posted on this website is for informational purposes only and does not constitute a legal opinion or medical advice. Contact your legal representative or medical professional for information specific to your legal or medical needs.