ICFE eNEWS #16-12 - April 27th 2016
Federal Appeals Court Throws into Doubt
What's Covered by Your Cyber-Liability Insurance
Time to Review Your Coverage on Data Breaches
For the past several years, Commercial General Liability ("CGL")
insurers have been communicating with their insured clients regarding
coverage for "cyber" events, such as data breaches. Generally,
these communications have been sent at the time of annual renewals,
and notify the insured that such events of loss are no longer considered
to be covered by the CGL policy. They usually have also offered
to quote and provide such overage for an additional premium.
However, a recent federal appellate court decision in the Fourth
Circuit casts doubt on the ability of a "CGL" insurance
carrier to refuse to provide legal defense for the insured against
a class action based on damages resulting from a data breach.
Specifically, the case is styled as The Travelers Indemnity Co.
of Am. v. Portal Healthcare Solutions, L.L.C. This "unpublished"
opinion can be
The case arises out of a pending class action
in New York State court, and involves Portal, a medical records
company, which allegedly failed to maintain the confidentiality
of patient records in its system. The apparently unsecured server
allowed the records to be accessed by the public.
involved due to the CGL policy written for Portal requiring Travelers
to defend the insured under specific enumerated circumstances. The
parties differ on whether the facts of the case fulfill the requirements
of the language of the coverage.
It is noteworthy that the Fourth Circuit Court's decision holding
Travelers liable for providing the defense against the action, under
the terms of the CGL policy, differs from the positions taken by
other courts in other jurisdictions.
While this case is very specific regarding the jurisdiction,
terms used in the insurance contract, and nature of the claims made
in the class action, it has potentially vast implications for both
insurance carriers and their insured clients.
It is a certainty that this decision will result in a fundamental
review of the language employed in CGL policies, with the intention
of avoiding such diverse interpretations.
For businesses and other holders of personally identifiable information,
including "protected health information" under HIPAA,
it is imperative to review and factor in the risks of deliberate
or inadvertent breaches, the potential damages, and the specific
nature and extent of insurance coverage.
This subject, and related
risk management exercises, are covered in more detail in the Certified
Identity Theft Risk Management Specialist® (CITRMS®) XV course from
the Institute of Consumer Financial Education.