The Fourth Circuit Court of Appeals upheld a Virginia district court’s ruling that a commercial general liability policy (“CGL”) may cover a data breach. The case involved an electronic data storage company that posted confidential medical records on the internet, which exposed private medical information on the internet for four months.
While courts in Connecticut and New York have recently found no coverage for cyber claims in traditional commercial insurance policies, the Fourth Circuit agreed with the lower court’s coverage analysis in this case. The insurance policies at issue, specifically under Coverage Part B Personal and Advertising Injury, required the insurer to pay if the insured became legally obligated for damages because of an advertising or website injury arising from the “electronic publication of material that … gives unreasonable publicity to a person’s private life” or the “electronic publication of material that … discloses information about a person’s private life.”
The district court held, and the Fourth Circuit agreed, that the coverage applied because the conduct of exposing confidential medical records to online searching is “publication” giving “unreasonable publicity” to, or “disclosing” information about, a person’s private life.
The district court held that “[p]ublication occurs when information is ‘placed before the public,’ not when a member of the public reads the information paced before it.” The court also found that the public availability of a patient’s confidential medical records provides “unreasonable publicity” to that patient’s private life and “disclose[d]” information about the patient’s private life, which satisfied the second requirement for coverage.
As cybersecurity concerns increase, the insurance industry’s position has largely been that CGL policies do not include coverage for data breaches and instead, have been offering standalone cyber policies and endorcements. It is worth mentioning that this case involved the insured’s own negligence, not a data breach caused by outside hackers or other cybersecurity incident, which has been the subject of other court cases.
The Fourth Circuit unpublished opinion can be accessed here.
This article was authored by Lindsay D. Petrosky. Ms. Petrosky is a member of the Jackson Kelly Health Care and Finance Practice Group and chair of the Firm’s Data Privacy and Security team.