BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

Cyber ruling opens door to CGL claims

Records 'published' without being viewed


Policyholders hit by a cyber breach may still find some coverage in their older commercial general liability policies thanks to an appeals court's broad interpretation of what constitutes “publication.”

In its unanimous April 11 ruling in Travelers Indemnity Corp. v. Portal Healthcare Solutions L.L.C., a three-judge panel of the 4th U.S. Circuit Court of Appeals in Richmond, Virginia, focused on a dispute over Portal's responsibility for patients' medical records.

The records were accessible online from Nov. 2, 2012, to March 14, 2013, although no third party allegedly viewed the information. Still, affected patients sued alleging violation of their privacy rights.

The appeals court held that the information could be considered published even if it was not viewed, and therefore was covered under the definition of “published” under Portal's CGL policies (see story, page 28).

To say “a book that is bound and placed on the shelves of Barnes & Noble is not 'published' until a customer takes the book off the shelf and reads it” does not “comport with the term's plain meaning,” an Alexandria, Virginia, federal judge ruled. The appeals court upheld the lower court's decision.

“The court appropriately found that publication does not require that anyone has actually used the medical information at issue,” said Roberta Anderson, a partner at K&L Gates L.L.P. in Pittsburgh.

Brian T. Himmel, a partner at Reed Smith L.L.P. in Pittsburgh, said despite the increasing uses of cyber exclusions in CGL coverage, the ruling is still relevant.

While CGL policies issued in 2016 may very well have cyber exclusions, “oftentimes it takes time to discover you're the victim of a cyber attack or cyber negligence-related conduct,” so a CGL policy issued in 2014 or 2015 may still provide coverage, Mr. Himmel said.

While cyber exclusions and stand-alone cyber coverage may limit this case's importance, firms should also “not forget about other insurance policies that might exist in a company's portfolio,” said Alex Purvis, a partner at Bradley Arant Boult Cummings L.L.P. in Jackson Mississippi. “You just never know what could be there.”

While the ruling “certainly is not going to revolutionize insurance coverage for cyber liability,” CGL policies still exist that do not exclude cyber coverage, said Jeffrey O. Davis, a partner at Quarles & Brady L.L.P. in Milwaukee. This ruling “certainly could provide helpful precedent for a policyholder that's faced with a data breach claim.”

The appeals court's ruling provides greater clarity, said Dennis S. Klein, a partner at Hughes Hubbard & Reed L.L.P. in Miami. “How far-reaching it is remains to be seen, because it's only applying to the traditional commercial (general liability) insurance policy.”

Gregory D. Podolak, an attorney at Saxe Doernberger & Vita P.C. in Trumbull, Connecticut, said the case's key takeaway is that “most companies should be looking into stand-alone cyber insurance if they haven't gotten that already.”

However, Linda D. Kornfeld, a partner at Kasowitz Benson Torres & Friedman L.L.P. in Los Angeles, said the ruling could have a somewhat wider application.

“The decision is not just favorable in the data breach setting, but it extends into other privacy-related exposures for policyholders,” such as those involving the Telephone Consumer Protection Act, Ms. Kornfeld said.

Consumers bringing litigation under the telephone law have alleged interference with their privacy interests, she said. “The debate in those cases has been whether the privacy interests at issue there involve any sort of 'publication' of private information.”

“If one of my clients came tomorrow with a TCPA issue, I would certainly use (Portal) as support, in addition to other cases around the country, for the concept that publication should be construed to favor coverage in other privacy contexts,” Ms. Kornfeld said.

Experts said they were not certain why the appeals court issued an unpublished ruling, but said it remains significant.

“If I had a case that was evaluating the same issues, I would not hesitate to cite an unpublished decision that I thought was on point,” Mr. Purvis said.