ICFE eNEWS #16-12 - April 27th 2016
View this eNEWS online
Federal Appeals Court throws into doubt what's covered by your
For the past several years, Commercial General Liability ("CGL") insurers
have been communicating with their insured clients regarding coverage for "cyber"
events, such as data breaches. Generally, these communications have been sent at
the time of annual renewals, and notify the insured that such events of loss are no
longer considered to be covered by the CGL policy. They usually have also
offered to quote and provide such overage for an additional premium.
Time to review your coverage on data breaches
However, a recent federal appellate court decision in the Fourth Circuit casts
doubt on the ability of a "CGL" insurance carrier to refuse to provide legal defense
for the insured against a class action based on damages resulting from a data
Specifically, the case is styled as The Travelers Indemnity Co. of Am. v.
Portal Healthcare Solutions, L.L.C. This "unpublished" opinion can be
The case arises out of a pending class action in New York State court, and
involves Portal, a medical records company, which allegedly failed to maintain the
confidentiality of patient records in its system. The apparently unsecured server
allowed the records to be accessed by the public.
Travelers is involved due to the CGL policy written for Portal requiring
Travelers to defend the insured under specific enumerated circumstances. The
parties differ on whether the facts of the case fulfill the requirements of the
language of the coverage.
It is noteworthy that the Fourth Circuit Court's decision holding Travelers
liable for providing the defense against the action, under the terms of the CGL
policy, differs from the positions taken by other courts in other jurisdictions.
While this case is very specific regarding the jurisdiction, terms used in the
insurance contract, and nature of the claims made in the class action, it has
potentially vast implications for both insurance carriers and their insured clients.
It is a certainty that this decision will result in a fundamental review of the
language employed in CGL policies, with the intention of avoiding such diverse
For businesses and other holders of personally identifiable information,
including "protected health information" under HIPAA, it is imperative to review
and factor in the risks of deliberate or inadvertent breaches, the potential damages,
and the specific nature and extent of insurance coverage.
This subject, and related risk management exercises, are covered in more
detail in the Certified Identity Theft Risk Management Specialist® (CITRMS®)
XV course from the Institute of Consumer Financial Education.
ICFE eNEWS is available FREE upon request by visiting the ICFE's
and filling out the contact form, selecting "Yes" for "Add to Mailing List."
Please pass this eNEWS on to your peers and interested others and
invite them to subscribe for free. Also, visit the ICFE's new Web site:
Paul S. Richard
President - Executive Director
Institute of Consumer Financial Education (ICFE)
ICFE - Institute of Consumer Financial Education -