Do CGL Policies Now Insure Data Breaches?

Posted on by

The case that everyone is talking about is Travelers Indemnity v. Portal Health, a just released, unpublished Fourth Circuit opinion. The quick story is that the Fourth Circuit affirmed the trial court opinion and held that Travelers owed coverage (specifically defense) under a CGL policy for a data breach. The real story is a bit more nuanced.

In the case, Portal Healthcare, a Virginia based company, was sued in NY in a class action lawsuit. In the lawsuit, patients of Glen Falls Hospital claimed that Portal Healthcare failed to safeguard medical records entrusted to Portal Healthcare by the hospital and instead allowed those records to be posted on the internet – accessible to everyone via a Google search. Portal Healthcare was insured by Travelers under two consecutive commercial general liability insurance policies – a 2012 policy and a 2013 policy. The Policies were not standard policies – rather they contained special endorsements that expanded the scope of personal injury, advertising injury and web site injury.

Specifically, the 2012 Policy contained a Web Xtend Liability Endorsement that deleted and replaced the definition of Personal and Advertising Injury liability. The 2013 Policy contained an Amendment of Coverage B – Personal And Advertising Liability Endorsement that deleted and replaced the definition of Personal and Advertising Injury liability. Under both endorsements, the parties (and court) seemed to agree that coverage was triggered if the underlying complaint alleged: (1) injury arising out of the offense of “electronic publication of material that . . . gives unreasonable publicity to a person’s private life” (the language utilized in the insuring agreement of the 2012 Policy) or (2) injury caused by the offense of “electronic publication of material that . . . discloses information about a person’s private life” (the language utilized in the insuring agreement of the 2013 Policy).

In respect of the first point, Travelers argued that, although the data was available to the general public, since Portal Healthcare did not intend to publish it, publication did not occur. This argument was rejected by the court which held that it was the fact of publication (and not the intent of publisher) that mattered.

In respect of the second point, Travelers argued that there was no “publicity” given to a person’s private life as the leak was not intended to generate publicity. This argument was also rejected by the court which held that since the leaked data was available to the general public, publicity had occurred.

All of this seems rather straightforward, so why all the fuss? It seems that a top sheet review might be to blame. When you look at the trial court’s decision and the policies themselves, you see that the Travelers’ decision to broaden the scope of potential claims that would qualify as “personal and advertising injury” is the root cause of the decision. So, it’s true that CGL policies might have more potential exposure to data breaches – but only if you enhance the coverages.
For more information about this post please e-mail Bob Cosgrove.