When it comes to insurance coverage for cyber risks, uncertainty continues to reign supreme. Cyber liability insurance is constantly evolving, and while dozens of insurers currently offer a cyber liability product, coverages are not standard from policy to policy. Given the varying nature of cyber risks, any number of different policies may respond to provide coverage for a cyber-related claim in some way, shape or form. Oddly enough, this now includes the commercial general liability (CGL) policy.
In a recent unpublished decision, the U.S. Court of Appeals for the Fourth Circuit upheld a district court’s grant of summary judgment, finding that Travelers had a duty to defend its insured under a CGL policy in a class-action suit alleging the publication of private medical records. The Travelers Indem. Co. of America v. Portal Healthcare Solutions, 644 Fed. Appx. 245 (4th Cir. 2016). This decision is at odds with at least two state court decisions, including one by the Connecticut Supreme Court in Recall Total Information Management v. Federal Ins., 317 Conn. 46 (2015), which held that traditional CGL policies do not provide coverage for liabilities arising out of cyber risks. See also Zurich Am. Ins. v. Sony, 2014 WL 3253541 (N.Y. Sup. Ct. Feb. 21, 2014) (insurer had no duty to defend under CGL policy in connection with a 2011 cyberattack since the breached information was published by the hackers, not Sony itself, and the policy required that the “publication” result from the policyholder’s own actions).
