By Katherine Varholak and Melissa Reagan

Corporate policy holders received good news on April 11 when the U.S. Court of Appeals for the Fourth Circuit issued its opinion in the case captioned: The Travelers Indemnity Company of America v. Portal Healthcare Solutions, L.L.C., No. 14-1944. The case arose out of a class action in New York filed by patients whose medical records were made accessible on the internet by Portal Healthcare Solutions. Like many companies, Portal did not have stand-alone cyber insurance, but did have standard commercial general liability policies issued by Travelers. When it was sued, Portal sought coverage from Travelers under the personal and advertising injury coverage part of the policies. Travelers denied coverage and insurance litigation ensued in Federal Court.

The District Court sided with the policyholder, finding that Travelers had a duty to defend its insured against the class action. On April 11, the Fourth Circuit affirmed in an unpublished opinion. This decision conflicts with several other prior cases in other jurisdictions finding no coverage for cyber breaches under standard liability policies.

Among other things, the Fourth Circuit found that exposing the patients’ private information on the internet qualified as unreasonable publicity even though the breach was not alleged to have been intentional. This is significant because data breaches are most often caused by unintentional employee conduct. In addition, the court found that coverage was triggered even though there was no allegation that third parties had actually viewed the private medical records. This is significant because in the early stages of a breach the extent of the injuries and damages will likely be unknown.

What does this decision mean for companies? It reinforces the fact that many carriers are aggressively denying coverage for cyber claims. Increasingly, carriers offering standard commercial general liability policies and other forms are adding endorsements aimed at specifically excluding coverage for data breaches. Thus, it is still important for companies to work with a broker to evaluate whether cyber coverage is appropriate for their business. But this case offers a silver lining for those companies facing breaches that have not yet pulled the trigger on stand-alone cyber coverage. This case shows that certain breaches may be covered as advertising injury, particularly if the breach involves internet publication.

Sherman & Howard has prepared this advisory to provide general information on recent legal developments that may be of interest. This advisory does not provide legal advice for any specific situation and does not create an attorney-client relationship between any reader and the Firm.

©2016 Sherman & Howard L.L.C.                                                                                   April 13, 2016