Is Cyber Covered Under a CGL Policy?
Here is a link to a Presentation / Slides on this topic for your use.
On April 11th, 2016 the Fourth Circuit Court of Appeals upheld a ruling by the Eastern District of Virginia that two CGL policies required an insurer to cover the defense of a cyber claim for the failure to secure patient information.  While we will review the nature of the allegations and the ruling, the long story short here is that the defense under a CGL policy represents a small fraction of the coverage under a typical stand alone Cyber policy.

The Facts and Allegations:

Portal Healthcare Solutions (Portal) purchased CGL policies from Travelers. These policies contained typical Personal Injury coverage.  Portal is an electronic medical records company.  The Personal Injury coverage provides some coverage for electronic publication of material that unreasonably gives rise to a person’s private life.  Portal failed to safeguard that data and patients were able to do a simple Google search of their name and the first results were a direct link to their medical file.
The courts have currently ruled that this data breach is considered “electronic publication” thus triggering a defense under the Personal Injury coverage.  Assuming this decision is held up, let’s consider if this constitutes coverage for Cyber.
The policy still does not cover the following 1st Party Costs:
  • IT Forensics Costs
  • Public Relations
  • Customer Notification
  • Credit Monitoring
  • Cyber Extortion
  • Cyber Business Interruption
  • Network Asset Damage
The policy still does not cover the following 3rd Party Liabilities:
  • Indemnity Payments
  • Regulatory Investigations (including HIPAA)
  • Regulatory Fines and Penalties (including HIPAA)
  • PCI Fines and Penalties / Remediation Costs
  • Breach of Contract coverage
  • Cyber Terrorism
The policy does not offer a panel of experts with pre-negotiated rates to defend the insured or help with the breach.  It does not provide any Cyber specific risk management services or have claims handlers that have handled Cyber claims.
In the event of a breach there may be small amounts of coverage available under non-cyber policies like a CGL policy, but that will be highly dependent on the nature of the facts and allegations (for example if the publication was made by a Hacker, it would not be covered under the CGL) as well as the the CGL policy wording.  Most recent policies are coming with an added Cyber exclusion or will not offer personal injury coverage on a class of business that has any significant Cyber Exposure.  That is a big gray area coupled with all the coverages listed above that are not available in a CGL policy for a data breach.
There have been a lot of articles lately with a headline that makes it sound like Cyber is covered under a CGL policy.  Remember the old adage, “If it sounds too good to be true, it probably is…”  Don’t be fooled by these articles or anyone else that tells you Cyber is covered under a CGL policy or it could be your E&O on the line.