Can business owners safely terminate their cyber security/ data breach insurance relying on General Liability coverage as a safe harbor?
On July 27, 2016 the U.S. Federal Court of Appeals for the Fourth Circuit held in Traveler’s Indemnity Company of America vs. Portal Health Care Solutions that a Commercial General Liability (CGL) does cover a data breach and the insurance company has a duty to defend the insured business on the class action claim filed against it.
This decision might lead businesses to believe that they do not need Cyber Security or Data Breach Insurance. While it may appear to be a cost saving measure now, it could result in a far greater liability in the event of a data breach claim against you.
- The Portal case was filed in 2013. The decision therein hinges on the coverage under Part B of the CGL policy for Personal and Advertising Injury. Changes were made to CGL policies with exclusions and endorsements which became effective May 1, 2014 based on ISO’s suggested forms. While adherence to ISO forms is not mandatory, it is widely recognized and usually adopted. To date the ISO exclusion and endorsements on data breach are available for use in 53 states depending on the carrier’s preference. So the Portal case may not be applicable to policy claims made after that date that do not contain Part B Coverage. This point will certainly be argued in the future should similar cases be filed after the effective date without containing Part B coverage language.
- The Portal Health Solutions case is a departure from the previous holdings in other state court cases holding CGL insurance does not cover data breaches creating a conflict between the states. This may result in the case being certified by the Supreme Court of the United States. However, there is an absence of conflicting rulings between two Federal Courts of Appeals which is generally a trigger for the Supreme Court to accept a case.
- Each party has a right to file a Petition for Certiorari to ask the Supreme Court to review the case. In this case, only Travelers would have a reason to request review. The Supreme Court may want to hear the case because the Defendant Portable Health Solutions data consists of medical records which would fall under HIPPA privacy rules and the protection of these documents is legally mandated, so the Government would have an interest in protecting American citizen’s privacy and the members of the class action suit who were injured by the data breach.
- It also raises important questions in regard to cyber security in the form of cyber hacking of data, which is a growing national threat. Cyber security is considered to be the 5th highest underwriting risk for insurance carriers according to the Swiss Re; Sonar report,May 2016.. Thus the Supreme Court has a duty and an interest in protecting the safety of America’s citizens.
- Almost all businesses have some risk of data breach or a cyber security risk which impacts commerce and trade throughout the US.
Due to all the above factors, it is difficult to determine whether Traveler’s Indemnity will Petition for Certiorari, and whether the Supreme Court will accept the case. The better course of action for Travelers financially may be; to just cover the insured damages under the policy and then go on to fight another day in a case that does not have Part B coverage and the endorsements are on the newer ISO forms. However, Traveler’s may still have numerous policies outstanding with Part B coverage for personal injury and advertisement that compels them to address the question now.
Because of the ever growing risk associated with cyber security crimes, including extortion, kidnapping, and terrorism most major carriers have designed new types of insurance products to cover data breach and cyber s crimes presuming that general liability did not cover this instance based on previous court rulings. If this ruling is upheld without going to the Supreme Court it may still have far reaching impact for both the business community and the insurance industry, as it leaves the basic question unanswered regarding coverage after the inception of the new ISO endorsements.
If the public perception is that you do not need data breach / cyber security insurance this could lead to a sizable loss for the insurance industry in litigation and loss of premiums which could lead to employee layoffs in insurance companies and business closings.
Bear in mind the insurance carrier payment for a data breach policy endorsement in the Target data breach case reached $44 million dollars. Generally, CGL policies do not have this high of an aggregate limit.
If the insurance carrier has to provide this insurance under a CGL policy without endorsement there will be significant losses under those policies. Costs for General Liability insurance will rise and be passed on to the insured.
Insureds may not have adequate insurance under their CGL as the policies are not designed to offer specialized coverage suited to each company’s needs and the aggregate limits may be too low, thereby financially harming the insured, and the injured party.
The insured may still have options to purchase specific policy endorsements or supplements if the products continue to be offered. Most likely they will be as the public awareness of the threat and the demand for the products is growing.
Consequently, until there is a complete resolution of this issue, the prudent business person should, at a minimum; retain their present cyber security/ data breach insurance. High risk industries should also purchase appropriate insurance products based on a thorough risk assessment or continue their existing coverage. It would be unwise to rely solely on your commercial general liability policy for data breach and cyber security risk.