Twitter Google +1 Facebook LinkedIn Share this page RSS

Blogs

Insurance Law Blog Legal updates, news, and commentary from the attorneys of Baker Sterchi Cowden & Rice LLC

A CGL Policy May Provide A Duty To Defend Data Breach Claims – 4th Circuit Court of Appeals Decision

April 14, 2016 | Thomas Rice
The 4th Circuit Court of Appeals has ruled that a commercial general liability policy (CGL) may cover a data breach, at least for the purposes of a duty to defend. In a case involving the publication of private medical records on the internet, the federal appellate court agreed with the lower federal district court in Virginia that coverage included in a CGL for personal and advertising injury applied.  The Travelers Indemn. Co. of Amer. v. Portal Healthcare Solutions, LLC, slip op., Case No. 14-1944 (4th Cir. April 11, 2016).
 
The underlying class-action complaint alleges that Portal and others engaged in tortious conduct that resulted in the plaintiffs’ private medical records being available on the internet for more than four months. During the alleged tortious conduct, Portal was insured under two CGL insurance policies issued by Travelers,  in 2012 and 2013. Travelers argued its 2012 and 2013 CGL policies did not require it to defend Portal because the class-action complaint fails to allege a covered “publication” by Portal or any other covered conduct within the scope of the CGL policies. 
 
The federal appellate court, in finding that Travelers has a duty to defend Portal from the class action, characterized those arguments as “efforts to parse alternative dictionary definitions”.  The federal appellate court applied the Virginia “Eight Corners’ Rule” by looking to “the four corners of the underlying complaint” and “the four corners of the underlying insurance policies” to determine whether Travelers is obliged to defend Portal. 
 
The 4th Circuit Court agreed with the lower court’s opinion that the class-action complaint at least potentially alleges a publication of private medical information by Portal that constitutes conduct covered under the policies. The federal appellate court further explained that such conduct, if proven, could have given unreasonable publicity to, and disclosed information about, patients’ private lives, because any member of the public with an internet connection could have viewed the plaintiffs’ private medical records during the time the records were available online. 
 
This ruling significantly increases the risk of future coverage claims for data breach losses under traditional CGL policies, based on its broader interpretation of the term “publication” as used in those policies.

Insuring Companies from Cyber Risk and Liability

April 1, 2016Recently, privacy, data breaches, and cyber security issues have taken center stage in the media.  In the event of a data breach, a company faces a multitude of expenses both internally and externally including but not limited to investigation, business loss, and remediation.  Companies are responding to the risk of data breach events, in part, by seeking insurance coverage.  Insurance carriers are accommodating this need by selling policies to protect companies in the event of a breach.     

Generally, coverage for cyber risk and liability is divided into two classes: First-Party coverage and Third-Party coverage. First-party coverage applies to protect the insured from the costs to its business in the case of a breach.  Examples of such costs include expenses like business loss/interruption and replacing/repairing equipment that may have been damaged or affected during the breach.

Third-party coverage applies to the costs an insured may have to pay to third parties or due to injuries of third-parties. Examples of such coverage include judgments as a result of a lawsuit and other expenses a company would have to pay to a third-party, expenses associated with notification of a breach to affected persons and credit monitoring.  Also, third-party coverage can insure expenses in responding to government regulators after a breach for purposes of investigation into the breach or penalties/fines as a result hereof.  Investigation into the cause of a data breach is often times costly and time-consuming.

There is not a “one-size-fits-all” policy with respect to insuring cyber liability.  Instead, policies can be tailored to the needs of the company seeking coverage.  By way of example, coverage and premiums can vary based on the following:

  • The industry in which a company operates;
  • The geographical area in which the company operates (local, national, international);
  • The size of the company;
  • Coverage for actions of third party vendors storing/accessing a company’s information;
  • Effective date of the policy (retroactive v. date policy purchased);
  • Remediation coverage; and
  • Business loss.
The above-bulleted list is not comprehensive but highlights some differences between policies.  Not every carrier will have the same types or level of coverage available.  Furthermore, policies insuring from cyber liability can include clauses that exclude certain events from coverage.  

For a company, the decision to purchase cyber liability insurance is not always an easy one.  A company is well-advised to evaluate its risk, exposure, and needs to ensure it purchases the correct level and type of coverage.  Often times, policies have room for negotiation with respect to coverage and price.  Costs can vary between carriers, even for similar levels of coverage.  A company should also be informed on the specific requirements that are sometimes included in a policy.  For example, certain policies may require that a company engage in preventative measures to ensure that its costumer’s data is safely stored.  The issue with some policies, however, is that it will include language like “due care” which is difficult to define.  A company that fails to adhere to the requirements of policy may be denied coverage in the event of a data breach.  When purchasing a policy, a company should also be aware of not only the total limits of the policy, but of any sub-limits.  Specifically, a policy may limit the amount of coverage for investigation, notification, and remediation portions of a breach event that may be smaller than the overall coverage limit.

Cyber liability insurance policies will continue to evolve due to the dynamic nature of cyber security.  Companies are well advised to continuously monitor the risks, exposure, and needs to ensure that they have adequate protection in the event of breach.           

Class Actions Based on Wrongful Application Of Labor Depreciation In Property Insurance Claims Are Active In Missouri

April 10, 2015 | Thomas Rice

Three separate class actions have been filed in Missouri challenging how depreciation is used in calculating the actual cash value of property damage under homeowners and commercial property insurance policies. In the past insurers used replacement-cost-less-depreciation to calculate actual cash value. This calculation takes the entire estimated replacement cost of property (materials, labor and other items) and depreciates the property based on age and condition. The Missouri class actions allege only materials should be depreciated as a component of the replacement cost, and labor should not be depreciated.

The Missouri class actions raising the labor depreciation issue are McLaughlin v. Fire Insurance. Exchange., 1316-CV11140 (16th Circuit Court for Jackson County, Mo.); Bellamy v. Nationwide Affinity Insurance Company, 1516-CV06346 (16th Circuit Court for Jackson County, Mo.); and Riggins v. American Family Mutual Insurance Company, 2:14-cv-04171-NKL (W.D. Mo.). No rulings on the merits or class certification in any of the three class actions have been rendered.

Related Services: Insurance

Attorneys: Thomas Rice

Subscribe
About Insurance Law Blog

The BSCR Insurance Blog examines topics and developments of interest to insurance carriers, with a particular focus on Missouri and Kansas law. Learn more about the editor, Angela M. Higgins, and our Insurance practice.

DISCLAIMER

The Insurance Law Blog is made available by Baker Sterchi Cowden & Rice LLC for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. Your use of this blog site alone creates no attorney client relationship between you and the firm.

CONFIDENTIAL INFORMATION

Do not include confidential information in comments or other feedback or messages related to the Insurance Law Blog, as these are neither confidential nor secure methods of communicating with attorneys. The Insurance Law Blog should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.