In April 2013, a class-action lawsuit was filed in the New York State Supreme Court against Portal Healthcare Solutions accusing it of allowing a breach of patients’ medical records. The accusation was that Portal had allowed online patient records to be accessible from November 2012 to March 2013. Portal was insured under a comprehensive general liability policy by Travelers Corp., but Travelers claimed it was not required to defend Portal because the general policy didn’t cover the data breach. But a federal appeals court ruled last week that Travelers, in fact, must defend Portal.
The case is significant, according to Scott Godes, who works in insurance recovery at Barnes & Thornburg and co-chairs its privacy group, because most businesses carry general liability insurance in one form or another, and the insurance industry has been adamant in recent years that CGL policies do not provide coverage for data breaches.
Portal sought to relieve itself of the obligation in a Virginia District Court in July 2013. But the 4th U.S. Circuit Court of Appeals in Virginia, where Portal is based, “very quickly and summarily” said in this case, yes, Travelers must defend against the claim, “end of discussion,” Godes said.
There are some significant takeaways for privacy practitioners and people involved in privacy and cyber legislation, according to Godes.
“This case shows you could potentially get coverage under general liability coverage for data breach actions,” he said.
CGL policies provide for coverage in cases of bodily injury, property damage or personal and advertising injury as well as any matter that violates a person’s right of privacy.
“I’ve argued that the publication of information, which is what a data breach typically is, should fall within that coverage,” Godes said. “But the insurance industry has argued a data breach is not a publication.”
Because data breaches have become increasingly prevalent, in 2014, insurance companies started writing exclusions into their policies that specifically address certain data breach claims and are increasingly aiming to insert those exclusions into existing CGL policies.
But for policyholders or those practitioners representing policyholders, this case indicates it’s worth pursuing coverage under existing CGL policies in cases like this, Godes said.
“I have never agreed with the position” that CGL policies didn’t intend to cover data breaches, Godes added. And there are cases indicating insurance companies would be liable to cover breach costs, such as the credit card data breach at DSW shoes. In 2012, an appellate court said DSW was entitled to insurance coverage for losses related to the breach.
That should have put the insurance companies on notice, Godes said.
If you want to comment on this post, you need to login.