Do You Need Cyber Insurance or Will Your CGL Policy Be Enough? Fourth Circuit Affirms CGL Policies Require Insurer to Defend Company Against Alleged Data Breach April 21, 2016 In Travelers Indemnity Co. of America v. Portal Healthcare Solutions, LLC, the Fourth Circuit Court of Appeals reverses the recent trend of insurance companies avoiding any liability for data breaches under commercial general liability (CGL) insurance policies. On April 11, 2016, the Fourth Circuit affirmed a lower court ruling, holding that an insurance company has a duty to defend a policyholder under the terms of the CGL policy against allegations that the policyholder posted confidential medical information on the Internet. Two years ago, two individuals filed a class-action complaint alleging that Portal Healthcare Solutions engaged in conduct that resulted in their private medical records being available on the Internet to anyone who “Google” searched for the patient’s name and clicked on the first result. At the time, Portal was insured under two substantially similar CGL policies with Travelers Indemnity Co. The CGL policies contained language obligating Travelers to pay sums Portal becomes legally obligated to pay as damages because of an injury arising from (1) the “electronic publication of material that gives unreasonable publicity to a person’s private life” or (2) the “electronic publication of material that discloses information about a person’s private life.” Travelers sought a declaration that Travelers was not obliged to defend Portal under the CGL policies, but lost on summary judgment and most recently on appeal to the Fourth Circuit. The Fourth Circuit, in an unpublished opinion, agreed with the reasoning of the District Court for the Eastern District of Virginia.

The lower court determined that making confidential medical records publicly accessible through an Internet search placed those records before the public, and thus constituted “publication” of electronic material, satisfying the first prerequisite of the CGL policies. Further, the lower court held that posting the confidential medical records online without security restriction gave “unreasonable publicity” to and “disclose[d] information” about a person’s private life, satisfying the CGL policies’ second prerequisite to coverage. 1 . While the decision is favorable to policyholders, companies should not rely on this decision or, in many cases, on their CGL policies to provide coverage in the event of a data breach. As the Fourth Circuit pointed out, although ambiguities in insurance policies are generally construed in favor of the insured, insurers may exclude certain types of coverage under CGL policies. Many CGL policies contain express language excluding losses related to data breaches. All companies should review their current CGL policy to determine whether it provides coverage in the event of a data breach, or consider obtaining separate cyber insurance coverage. Womble Carlyle can assist companies in reviewing existing policies to determine what coverage has already been obtained or where gaps in coverage may exist and in offering solutions to potential cyber liabilities. Contact Information If you have any questions about this update, please contact client alert authors Jay Silver at JSilver@wcsr.com or 919.755.2188, Orla O'Hannaidh at OOhannaidh@wcsr.com or 919.484.2339, or Ted Claypoole at TClaypoole@wcsr.com or 704.331.4910, or the Womble Carlyle attorney with whom you normally work. __________________ Womble Carlyle client alerts are intended to provide general information about significant legal developments and should not be construed as legal advice regarding any specific facts and circumstances, nor should they be construed as advertisements for legal services. 2 .