Don't give up on CGL policies when looking for cyber coverReprints
Data breaches can leave targets casting about for the right insurance solutions, particularly when it comes to often lengthy and costly class action lawsuits. A recent appeals court decision opened the door to the use of commercial general liability coverage in such cases. Richard DeNatale, Richard D. Milone and Celia Jackson, with the law firm Jones Day L.P., discuss this development and other ways companies can protect themselves from cyber risk.
Companies that fall victim to a cyber attack often face an unpleasant aftershock: class action lawsuits by employees or customers who accuse the company of negligence and seek damages for the disclosure of their personal information. These lawsuits can be expensive to defend, even when they have little or no merit.
If the company has purchased cyber insurance, it can expect its insurer to cover the cost of defense. But the majority of U.S. businesses do not have cyber insurance, or the limits on their policies are too low to pay for lengthy class action litigation.
An April 11 decision by a federal appeals court offers a measure of relief for these companies. In Travelers Indemnity Co. of America v. Portal Healthcare Solutions L.L.C., the 4th U.S. Circuit Court of Appeals ruled that an insurer that issued a commercial general liability policy had a duty to defend against class action litigation resulting from a data breach.
This issue has been the subject of substantial controversy. CGL policies have long covered claims arising from the “publication of material that violates a person's right of privacy.” This coverage is found in the privacy clause, which is part of the Personal and Advertising Injury section of standard CGL forms.
In 2000, the Insurance Services Office, which develops standard forms for the insurance industry, revised the CGL form to adapt it to the Internet age. It broadened the language of the privacy clause to cover “publication, in any manner, of material that violates a person's right of privacy.” At the same time, it amended the definition of “coverage territory” to provide that the policy covered “offenses that take place through the Internet or similar electronic means of communication.”
Taken together, these changes seemed to make clear that CGL policies would cover any type of disclosure of electronic data over the Internet that violated a person's privacy rights — including the disclosure of personal data in a cyber attack.
But as the number of data breaches mounted, it became increasingly difficult for policyholders to obtain coverage from their CGL insurers. This trend only accelerated with the advent of cyber insurance policies. Insurers began routinely denying claims for data breach claims under CGL policies, taking the position that these policies were “not meant to cover” such claims.
When challenged in court, insurers offered a host of arguments to avoid coverage. They said that the phrase “publication in any manner” was limited to certain types of disclosure involving affirmative statements to the public at large. They argued that the disclosure of private data in a cyber attack was a publication by the hackers, not by the policyholder. And they argued that CGL policies implicitly exclude data breach claims, though no such exclusion is found in the policy language.
All these arguments ran counter to the legal rules that govern the interpretation of insurance policies. These rules require that coverage grants such as the privacy clause be read broadly and that any exclusions or limitations be stated in clear and express terms.
In the Travelers case, the 4th Circuit relied on these rules of interpretation to find that a CGL policy covers the cost of defending data breach claims that allege the disclosure of private information. The case involved a class action lawsuit against Portal Healthcare. The complaint alleged that Portal had negligently allowed confidential patient medical data to be posted on the Internet, where it could be accessed by a simple Internet search. The CGL policies at issue contained a variation of the standard language and provided coverage for “electronic publication of material that ... gives unreasonable publicity to a person's private life (or) discloses information about a person's private life.”
The trial court ruled that private patient information was “published” when it became accessible to unauthorized third parties via the Internet. The court held it did not matter whether the policyholder intended to make the material public or whether anyone actually viewed it. The 4th Circuit Court of Appeals endorsed the trial court's analysis and held that Travelers had a duty to defend its policyholder in the class action lawsuit.
The Travelers case is likely to have a significant impact — though only for a limited period of time. For companies facing class action lawsuits filed in the wake of a cyber attack, the decision may open a new path for coverage. But that path may soon become more difficult to navigate, as the insurance industry makes changes to the CGL form that could potentially limit coverage for data breach claims. In 2014, ISO introduced a new data breach exclusion for the standard CGL form. This new exclusion has not been incorporated into all U.S. policies, but we expect it to become more prevalent with each passing year.
These developments make it all the more important for policyholders to purchase cyber insurance policies. The right cyber policy can cover a wide range of claims and other losses that typically result from a data security incident. Within a few years, cyber policies are likely to be the only vehicle for insuring cyber and Internet exposures. But for companies facing data breach claims who do not have cyber insurance, it may be worthwhile to take a second look at their CGL coverage in light of the Travelers decision.
Richard DeNatale is a partner at Jones Day in San Francisco. Contact him at email@example.com or 415-875-5740.
Richard D. Milone is a partner at Jones Day in Washington. Contact him at firstname.lastname@example.org or 202-879-7645.
Celia M. Jackson is counsel at Jones Day in San Francisco. Contact her at email@example.com or 415-875-5867.