WASHINGTON (Legal Newsline) - While a U.S. Court of Appeals for the Fourth Circuit ruling on a data breach insurance case was presented in a way that limits its impact, it's still a significant win for the insured, a Los Angeles attorney says.
"While the decision may not dramatically shift the playing field for data breach coverage, it still is a significant victory for policyholders because it shows that there can be coverage for inadvertent disclosure of confidential information under a CGL policy," said Ken Kronstadt, an attorney in the insurance recovery group of the law firm Kelley, Drye, and Warren.
Earlier this month, the Fourth Circuit upheld a lower court's ruling in the case of Travelers Indemnity Co. of America v. Portal Healthcare Soultions LLC. Portal, which had a commercial general liability insurance policy with Travelers, believed that policy should cover the costs of its legal defenses after a data breach at the company.
Portal is facing a class action lawsuit in New York state court after it allegedly failed to secure one of its servers, allowing confidential patient information to be viewed online for two months, without even a password required.
This case was significant because it was unclear legally before this point if a general CGL insurance policy would cover something like a data breach.
The Fourth Circuit ruled that Travelers was bound to provide coverage because the policy did not specifically exclude data breaches from the policy language.
"It is universally recognized that ambiguities in an insurance policy will be strictly interpreted against the insurance company, as the drafter of the policy," Kronstadt said.
"In other words, an insurer has the ability to unambiguously exclude data breaches from coverage, and any time it fails to do so and a data breach fits within the policy’s grant of coverage, the policyholder’s expectation that it will be covered in the event of a data breach is reasonable."
However, the scope of this decision is limited, he said. Perhaps recognizing that this was a very particular case and wanting to avoid setting a specific precedent, the Fourth Circuit decided not to publish its decision.
So while it is legally binding against Travelers in this particular case, it cannot be used as legal precedent in other cases. Also, in 2014, Insurance Services Office (a company that writes standard policy forms that most policies are based on) revised the standard CGL policy to exclude damages resulting from data breaches. Portal's policies were written in 2012 and 2013, before these changes were made.
Kronstadt said an appeal isn't likely.
"Practically speaking, an appeal seems like an unnecessary risk for Travelers. Right now, they have an unpublished opinion that is not binding on courts in subsequent actions," Kronstadt said.
"y appealing, given the possibility that the Supreme Court could uphold the Fourth Circuit’s decision, Travelers would risk turning that unpublished opinion into an opinion that is binding on every court in the country."