On March 24, 2016 the Fourth Circuit heard oral arguments in Travelers Indemnity Co. v. Portal Healthcare Solutions, No. 14-1944 (4th Cir. Mar. 24, 2016). This potentially precedent-setting case tackles the issue of whether traditional commercial general liability ("CGL") insurance policies provide coverage for liability arising out of cyber-security issues, such as a failure to secure confidential customer data.

The CGL policies at issue in the case provide coverage for "those sums that the insured becomes legally obligated to pay as damages because of 'personal injury' . . . to which this insurance applies." One of the subject policies defines "personal injury" to include, inter alia, "Oral, written or electronic publication of material that . . . gives unreasonable publicity to a person's private life." The other subject policy defines "personal injury" to include, inter alia, "Oral or written publication, including publication by electronic means, of material that . . . [d]iscloses information about a person's private life."

The insured, Portal Health Care Solutions, LLC ("Portal"), a healthcare provider, was sued by several of its patients for failing to adequately safeguard their private and confidential health information after they were able to access their medical records online through Google. Portal sought coverage for the claims under the subject policies, and the insurer, Travelers Indemnity Co. ("Travelers"), filed an action for declaratory judgment to determine its rights and obligations under the policies. On summary judgment in the declaratory judgment action, the district court held that Travelers must provide coverage for Portal in the underlying class action suit because Portal's handling of its patients' data constituted a "publication" of the material that gave "'unreasonable publicity' to, and disclose[d]' information about patients' private lives within the meaning of the" subject policies. See Memorandum Opinion and Order, Travelers Indemnity Company of America v. Portal Healthcare Solutions, LLC, 1:13-cv-00917 (GBL) (E.D. Va. Aug. 7, 2014).

On appeal to the Fourth Circuit, Travelers argued that the district court's holding constituted a "serious error" by ruling that failure to secure the patient's data constituted "publication" of the data. Travelers contended that "publication" requires actual action to disseminate the information amongst the public, not just a lack of security. Portal countered in their brief that the only thing that mattered in this case was that the underlying complaint alleged "publication," thus triggering coverage, because it compares Portal's actions to "leaving a book in a public place where anyone can read it." In a separate amicus curiae brief, the American Insurance Association argued that Portal was simply trying "to shoehorn into the terms of its traditional general liability Policies the claim that it failed to safeguard the [underlying] plaintiffs' private information."

The Fourth Circuit's decision in this case could have far-reaching implications for the coverage available for cyber-attacks. Although in this case no third-party penetrated defenses set up by Portal, if the Fourth Circuit upholds the lower court's finding of coverage, companies that are the victim of hacking attacks by third-parties could also argue for coverage under existing similar CGL policies. Under this theory, a company would "publicize" its customers' confidential data when hackers access the data.

However, in the event the Fourth Circuit upholds the lower court's decision, it is unlikely that coverage under most future CGL policies would be available. Rather, insurers are likely to increase their reliance on broad "cyber exclusions" in CGL policies. These exclusions preclude coverage for losses stemming from cyber-events, such as data breaches. Companies seeking coverage would have to purchase separate cyber-insurance policies -- at an additional premium -- to provide coverage for those events.

The Portal case could increase the scope of coverage available for insureds under existing CGL insurance policies to include claims for liability stemming from cyber-attacks. Insurance companies as well as CGL and cyber-insurance policy holders should carefully watch the Fourth Circuit's decision in the coming month to understand the full extent and limits of their coverage.