Court says insurer liable for data breach expenses
Executive Summary
A federal court ruled recently that a commercial general liability policy must cover damages from a data breach. The insurer argued that the contract clause did not apply.
• The policy covered "personal and advertising injury."
• The insurer argued that another clause allowed them to deny data breach expenses.
• Risk managers should study the wording of such clauses and discuss them with insurers.
A recent court ruling that requires an insurance company to pay a healthcare provider’s expenses related to a data breach should be heartening to risk managers who worry about the potentially huge costs of such an event. The ruling does not mean, however, that insurers will pay data breaches without a hassle.
The United States District Court for the Central District of California upheld coverage under a commercial general liability policy for a hospital data breach that compromised the records of nearly 20,000 patients in Hartford Casualty Insurance Company v. Corcino & Associates et al. (See the story on p. 8 for more details on the case.)
The costs in question were related to class action lawsuits alleging that Stanford Hospital and Clinics in Palo Alto, CA, and the insured medical consulting firm Corcino & Associates violated the privacy rights of patients by providing confidential personally identifiable medical information to an individual who posted the information on a public website.
The insured sought a defense and indemnity under its commercial general liability (CGL), but Hartford Casualty Insurance Co. said the policy did not apply to data breaches. The ruling should be encouraging to risk managers, says Roberta D. Anderson, JD, a partner with the law firm of K&L Gates in Pittsburgh. Providers have long hoped that a CGL would cover data expenses, but insurers had made it known they would resist paying.
"At least in California, this is a very significant decision," Anderson says. "The advertising and personal injury section of the policy contains a key definition that provides coverage for damages arising out of oral or written communication that violates a right of privacy. That absolutely can cover data breaches."
Even so, don’t expect your insurer to happily pay the expenses of a data breach. Despite the court’s ruling, this case illustrates that insurers will fight the claims even when a CGL policy has language that seems to explicitly include data breaches. "Insurers will tell you that they do not intend to cover data breaches, that they never did under the traditional policies," Anderson says. "Over the past 10 years, exclusions have made their way into the policies, and even if they don’t have exclusions, insurers will take the position that it is not covered. You can still have to fight out in court and pay significant legal expenses."
Insurers are including more exclusions in CGL policies, and they are getting more specific in describing how data breaches are not covered, Anderson says. The Hartford policy in this case had an exclusion that the company argued voided the other clause that seemed to provide coverage for a data breach, so Anderson says the exclusions currently being added to policies might require court tests to establish their validity.
One reason insurers want to exclude data breach coverage, other than the obvious potential expense of coverage, is that they are simultaneously offering separate policies specifically designed for data breaches. Anderson says healthcare providers should consider such policies, because the notification costs alone for a breach can exceed $500,000. (See the story on p. 8 for more on those policies.)
The California ruling is reassuring in that it suggests the courts will interpret insurance coverage broadly and the exclusions narrowly, says Betsy Baydala, JD, an associate with the law firm of Kaufman Borgeest & Ryan in New York City. However, insurers are likely to respond. The court told Hartford that its exclusion was not sufficiently specific to deny coverage for the data breach, so Baydala says insurers might take that as a signal to be more explicit with the data exclusions in a CGL.
"If you are seeking coverage for data breaches, and you should, then the CGL is not the best solution," she says. "Previous general liability policies may have been worded in such a way that you can still obtain coverage for a breach, but that is not as likely in the future as the insurance industry responds to this concern."
The insurance industry is certain to continue fighting data coverage under CGLs, says Richard D. Milone, JD, a partner with the law firm of Kelley Drye & Warren in Washington, DC. Providers should be able to expect coverage for data breaches under a CGL, he says, but the huge costs of breaches is making insurers look for a way out, especially if they can turn around and sell you a separate cyber policy, he says.
"There is a growing number of lawsuits testing whether a general liability policy will provide coverage," Milone says. "This is a very good decision because it says the policyholder does get coverage under the standard policy. That is good for now, but we know that when insurers see themselves paying out a lot of money, they don’t just accept it as the cost of doing business. They will continue to narrow the circumstances in which they pay as much as they can."
- Roberta D. Anderson, JD, Partner, K&L Gates, Pittsburgh. Telephone: (412) 355-6222. Email: [email protected].
- Betsy Baydala, JD, Partner, Kaufman Borgeest & Ryan, New York City. Telephone: (212) 994-6538. Email: [email protected].
- Richard D. Milone, JD, Partner, Kelley Drye & Warren, Washington, DC. Telephone (202) 342-8425. Email: [email protected].