Are You Unknowingly Covering Cyber Liability?
Cyber risk is constantly in the headlines these days, with one big corporation after another left reeling from a data breach. But it’s not only the iconic brands that are victims of data loss and class action lawsuits: small to midsize risks are vulnerable, too.
More worrying, a recent decision from a U.S. appellate court in Virginia shows how insurers who have not yet adopted bureau or proprietary exclusions in their general commercial policies – primary and umbrella - could be exposing themselves to sizeable cyber liability claims.1
In this recent case, a breach occurred when an employee of a healthcare firm posted patients’ medical records online and failed to secure the server. Although there were no indications that the personal information was actually seen by other parties, information was exposed to public view for more than four months.
Two patients filed a class-action complaint, which led to the coverage action. The court held that a CGL insurer had a duty to defend its insured against privacy lawsuits following a data breach. Its decision turned on whether the access to private information on the Internet constituted a “publication” and otherwise satisfied the definition of Personal Injury in the policies.
The appellate court found that the lawsuit arguably alleged a “publication” under the policies to trigger a duty to defend. Further, it said that the records could have been viewed by anyone with an Internet connection and that created a potential for unreasonable publicity.
Providing Internet viewing is considered a publication that could bring unreasonable publicity to the private lives of the patients. It does not matter whether or not the records were actually viewed by a third party, at least for duty to defend purposes.
For carriers that have adopted the ISO, AAIS, MSO or similar data breach exclusions, the outcome may not be a cause for concern. These exclusions, which were first filed by ISO in 2013, take out coverage for loss arising from the “access to or disclosure of” personal or confidential information and this privacy claim appears to fit within the exclusion.
What’s significant, though, is the healthcare solutions firm in this case is not the size of a Target or Home Depot, but it was still sued. There were no cyber criminals or hacktivists and the breach was the result of employee negligence (as it often is).
Clearly, any size or type of risk can make a mistake and end up in court. That’s why it’s so important for carriers to adopt the latest data breach exclusions – and keep the risk in specialized cyber covers rather than general commercial policies.
For more about cyber coverage – including specialized insurance products – ask your Gen Re account executive, and keep an eye out for upcoming Gen Re publications on this topic.
- Travelers Indemnity v. Portal Healthcare Solutions, 2016 U.S. App. LEXIS 6554 (unpublished) affirming decision at 2014 U.S.D. LEXIS 110987 (published).