A federal U.S. Court of Appeals has confirmed that comprehensive general liability (CGL) and other traditional policies may yet be a source of liability insurance coverage for cyberliabilities. Although a dedicated cyberliability policy may provide broader coverage for claims and losses arising from a data breach, traditional insurance policies should continue to be included as part of a company’s comprehensive breach response plan.

In September 2014, we published an article discussing how, under certain circumstances, cyberliability claims may be covered under the broad insuring agreements of comprehensive general liability (CGL) policies, or other traditional lines of insurance, such as property policies. Because these types of policies potentially respond to cyberliability claims, we advised that companies review, and include these policies—along with any dedicated cyberliability insurance—as part of a comprehensive breach response and risk management program.

In the earlier article, we also discussed an Eastern District of Virginia decision, Travelers Indemnity Co. of America v. Portal Healthcare Solutions, L.L.C., 35 F. Supp. 3d 765 (E.D. Va. 2014), in which the district court found that where a health care company made certain confidential medical records accessible to the public over a three-month period of time, the “publication” requirement under the CGL policy had been met, thus triggering coverage.

Earlier this week, in a positive decision for insureds, the U.S. Court of Appeals for the Fourth Circuit affirmed that decision, commending the district court’s “sound legal analysis,” and holding that Travelers had a duty to defend its insured in the litigation arising out of that data breach.

In reaching its decision, the Fourth Circuit determined that the district court had reached the correct result by applying the “Eight Corners’ Rule”: looking to the four corners of the underlying complaint and the four corners of the underlying insurance policy to determine whether Travelers had a duty to defend its insured.

In the lower court, Travelers had argued that because (1) there was no evidence that any third parties had viewed the confidential, medical information, and (2) there was no evidence that Portal had intended to publish the information, the claim did not meet the “publication” requirement under the CGL policy. But because Travelers did not define the term “publication” in its policy, the district court held (and the Fourth Circuit agreed) that the language in insurance policies must be construed “in favor of [an] interpretation which grants coverage, rather than that which withholds it.” If there are particular risks that an insurer does not want to cover, it must “use ‘language clear enough to avoid … ambiguity.’” Applying this logic, the district court concluded that the underlying class action “at least potentially or arguably” alleged a “publication” of private medical information by Portal, which constitutes conduct covered under the policies, and thus triggered Travelers’ duty to defend its insured. The Fourth Circuit panel similarly rejected Travelers’ argument.

The takeaway from both the district court’s decision and the Fourth Circuit’s affirmance is two-fold: although a dedicated cyberliability policy may provide more comprehensive coverage in response to data breach claims or losses, (1) CGL policies, and other traditional policies, may be a source of liability coverage, unless specifically excluded; and (2) if an insurer fails to define a term, courts may interpret the policy broadly, in favor of coverage for the insured.

Moreover, cyberliability policies typically are claims-made policies—meaning the policy is triggered when a claim is made against the insured during the policy period, regardless of when the wrongful act that gave rise to the claim took place. One exception is if the cyberliability policy contains a short retroactive date, such as at “inception.” CGL policies are typically occurrence-based policies—meaning the policy is triggered when the wrongful act occurred, not when the claim was made. Thus, if the breach occurred before the retroactive date of the cyberliability policy, a CGL policy may provide the only potential coverage. Read the related article regarding the importance of retroactive dates in cyber policies.

Either way, insureds should not presume the absence of coverage under these policies without first carefully considering the nature of the loss, the allegations of the underlying complaint, and the language of the policies at issue.

For these reasons, traditional insurance policies should continue to be included as part of a company’s comprehensive breach response plan, and insureds should seek guidance from experienced coverage counsel to help maximize their potential coverage.

Client Alert 2016-096