ICFE eNEWS #16-12 - April 27th 2016
View this eNEWS online

Federal Appeals Court throws into doubt what's covered by your Cyber-Liability Insurance
Time to review your coverage on data breaches

For the past several years, Commercial General Liability ("CGL") insurers have been communicating with their insured clients regarding coverage for "cyber" events, such as data breaches. Generally, these communications have been sent at the time of annual renewals, and notify the insured that such events of loss are no longer considered to be covered by the CGL policy. They usually have also offered to quote and provide such overage for an additional premium.
However, a recent federal appellate court decision in the Fourth Circuit casts doubt on the ability of a "CGL" insurance carrier to refuse to provide legal defense for the insured against a class action based on damages resulting from a data breach.
Specifically, the case is styled as The Travelers Indemnity Co. of Am. v. Portal Healthcare Solutions, L.L.C. This "unpublished" opinion can be found online.
The case arises out of a pending class action in New York State court, and involves Portal, a medical records company, which allegedly failed to maintain the confidentiality of patient records in its system. The apparently unsecured server allowed the records to be accessed by the public.
Travelers is involved due to the CGL policy written for Portal requiring Travelers to defend the insured under specific enumerated circumstances. The parties differ on whether the facts of the case fulfill the requirements of the language of the coverage.
It is noteworthy that the Fourth Circuit Court's decision holding Travelers liable for providing the defense against the action, under the terms of the CGL policy, differs from the positions taken by other courts in other jurisdictions.
While this case is very specific regarding the jurisdiction, terms used in the insurance contract, and nature of the claims made in the class action, it has potentially vast implications for both insurance carriers and their insured clients.
It is a certainty that this decision will result in a fundamental review of the language employed in CGL policies, with the intention of avoiding such diverse interpretations.
For businesses and other holders of personally identifiable information, including "protected health information" under HIPAA, it is imperative to review and factor in the risks of deliberate or inadvertent breaches, the potential damages, and the specific nature and extent of insurance coverage.
This subject, and related risk management exercises, are covered in more detail in the Certified Identity Theft Risk Management Specialist® (CITRMS®) XV course from the Institute of Consumer Financial Education.

ICFE eNEWS is available FREE upon request by visiting the ICFE's Web site and filling out the contact form, selecting "Yes" for "Add to Mailing List." Please pass this eNEWS on to your peers and interested others and invite them to subscribe for free. Also, visit the ICFE's new Web site: StudentDebtHelp.org
Sent by:

Paul S. Richard
President - Executive Director
Institute of Consumer Financial Education (ICFE)

ICFE - Institute of Consumer Financial Education - ICFE.info - 619.239.1401