A Virginia federal appeals court has ruled that a commercial general liability policy (CGL) must cover a data breach. The Monday ruling – which upheld a lower federal court ruling – by the U.S. Court of Appeals concluded that Travelers Insurance is required to defend Portal Healthcare Solutions after they were sued over a data breach. This particular court ruling conflicts with at least two state court rulings which “found no coverage for cyber claims in traditional commercial insurance policies.” The Monday ruling comes from a 2013 class action lawsuit filed in New York by patients whose private medical records were wrongly exposed on the internet following a data breach.
The suit was brought against Portal Healthcare Solutions, a medical record safekeeping firm based out of Virginia, and found that the CGL coverage applied to personal and advertising injury outlined in the policy. Due to particular policy language, the courts held that “because exposing confidential medical records to online searching is “publication” giving “unreasonable publicity” to, or “disclosing” information about, a person’s private life,” Travelers had the responsibility to defend portal in the class action lawsuit. While this court decision will not change the need for or the way cyber insurance is purchased, it will certainly be interesting to see how this ruling will affect future CGL claims pertaining to cyber.