Are cyber losses covered under general liability (GL) insurance policies?
No, not really. Probably not. Well, ok, maybe sometimes some cyber losses might be covered. In a few states. For the moment.
I’m writing about this now because on April 11, 2016 the United States Court of Appeals for the 4th Circuit issued a decision in the Travelers Indemnity Company of America v. Portal Healthcare Solutions, LLC case holding that claims by individuals whose medical records were posted on the internet were covered under a general liability policy. That result might get a lot of people excited. It really shouldn’t though. I’ll have more to say about the case in a minute.
For a long time, companies have tried to find coverage for losses arising from cyber events under their general liability insurance policies. Those policies generally cover claims against the company for:
- Bodily injury;
- Property damage;
- Personal injury, which includes oral or written publication of material that violates a person’s privacy; and
- Advertising injury.
Generally speaking, companies have made two different arguments to trigger coverage. First, companies have argued that electronic data is covered property, and that loss of, or damage to that data is covered property damage. They’ve had mixed success in the courts. The argument is particularly difficult to sustain when a policy requires injury to “tangible” property.
The second argument companies have made is that the breach of data amounts to a publication that violates the privacy of the individuals affected. Insurers have resisted those claims, and a number of them have ended up in litigation. Here too the results have been mixed, although recent decisions in Connecticut and New York involving IBM and Sony have supported insurers’ position that data breaches don’t necessarily result in the “publication” of the compromised data.
That is what makes the recent Travelers v. Portal Healthcare decision significant. It bucks the trend, and gives some hope to companies that have suffered data breaches and that don’t yet buy cyber insurance.
No company should be too hopeful though. The case isn’t as great as it might sound.
The data breach in the Portal Healthcare case is different than many other breaches. Unlike situations in which data is compromised but not made publicly available (e.g. data tapes falling off a truck), Portal Healthcare mistakenly posted patient records on the internet that then became accessible through Google searches. Facts like that make it easy to argue that information was “published”.
I don’t think Travelers v. Portal Healthcare heralds a new era of cyber losses being covered under GL policies. The 4th Circuit did not publish its decision. That has the effect, as the opinion itself states, of preventing the decision from having any precedential effect. No other judge has to follow it. This will allow Travelers, and every other insurer, to make the same arguments again in other cases. Even if the opinion was a binding precedent, it would only be binding in those few states in the 4th Circuit.
Although the Travelers v. Portal Healthcare decision is not binding in any other case, it undoubtedly will have some persuasive effect in other courts. Mindful of that, I would not be surprised to see GL insurers become more insistent that new cyber claim exclusion endorsements be added to policies to remove any doubt that such claims will not be covered. In situations where insurers do not have the benefit of those endorsements I expect them to try to ignore the Travelers v. Portal Healthcare decision when they can, and to work hard to distinguish it when they can’t.
Should companies do anything different in light of the Travelers v. Portal Healthcare decision? No. Companies facing cyber losses should continue to evaluate all potentially applicable policies, including their GL policies, and provide notices to insurers as appropriate.
Companies that are concerned about the financial consequences of cyber risks should avoid relying on GL policies to cover such losses. The only certain way to insure those losses is under cyber policies specifically designed to cover them. If a company decides to rely on its GL policy to cover cyber losses the only certainty is that it will end up in a fight with its GL insurer. The Travelers v. Portal Healthcare case doesn’t change that.