FYI, NBD is “internet slang” for “no big deal.” “Internet slang” is what my little brother uses in text messages.
Last week, the Fourth Circuit affirmed an Eastern District of Virginia ruling that Travelers had a duty to defend Portal Healthcare Solutions with respect to a class action data breach lawsuit filed after patients found their medical records online, sans permission. The opinion analyzed a commercial general liability policy (CGL), specifically the “publication” issue that was also at the forefront in the 2015 Sony Playstation coverage dispute. In Sony, a New York City trial court held that CGL carriers had no duty to defend a data breach class action, a ruling many saw as a sign that the days of finding data breach coverage in CGL policies was coming to an end. There have therefore been a number of commentators suggesting that Travelers is a pendulum swing in the other direction, a sign that the viability of data breach coverage under CGL policies remains.
My opinion? Nope.
The policies in Travelers were issued in January 2012 and January 2013. On May 1, 2014, CGL policies began incorporating ISO standard exclusion CG 21 06 05 14, which excludes, under CGL coverages A and B (“B” was involved in Sony and Travelers), coverage for “injury or damage arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.”
The commentary on this exclusion’s effect:
“Translation: No coverage for you if someone sues you for a data breach…This prevents an insurer from having to cover a loss that might fit within the policy’s definition of personal and advertising injury [Coverage B]. ISO’s explanatory memorandum described the impact of the endorsement this way:
“With respect to bodily injury and property damage arising out of access or disclosure of confidential or personal information, these changes are a reinforcement of coverage intent. As discussed above, damages related to data breaches, and certain data-related liability, are not intended to be covered under the abovementioned coverage part. These types of damages may be more appropriately covered under certain stand-alone policies including, for instance, an information security protection policy or a cyber liability policy.
To the extent that any access or disclosure of confidential or personal information results in an oral or written publication that violates a person’s right of privacy, this revision may be considered a reduction in personal and advertising injury coverage.”
Travelers is not a trend reversal. It is among the few lawsuits lingering in the court system involving outdated CGL policy language. Your CGL policy is almost assuredly a claims-made policy, meaning that a data breach lawsuit today would only potentially be covered under your most recent policy (not the one in effect when the breach actually occurred). Because your policy likely contains CG 21 06 05 14 and/or similar language, Travelers isn’t go to be much help. In short, Travelers is not the beginning of a new trend. It is far more likely the end of an old one.