A federal court of appeals held that general insurance policies cover a data breach class action in a case that is highly likely to impact how courts throughout the country resolve insurance claims related to cyberattacks and policy renewal negotiations.

On April 11, 2016, the United States Court of Appeals for the Fourth Circuit upheld a trial court’s finding that Travelers Indemnity Company of America is required to defend Portal Healthcare Solutions, LLC in a class action filed in New York. In the original case, two plaintiffs filed a class action alleging that Portal failed to safeguard their confidential medical records when they were made publicly accessible on the internet. Travelers filed a separate action seeking a declaratory judgment that it was not required to defend Portal. Travelers argued that the class representatives had not alleged that Portal had “published,” given “undue publicity,” or “disclosed” the plaintiffs’ information to any third party, to trigger coverage under the policies.

Applying Virginia law, the trial court disagreed, finding that it was required to follow the “Eight Corners Rule” by looking to the four corners of the class action complaint to determine whether it alleged grounds for liability “potentially or arguably covered” by the four corners of the insurance policies. The trial court concluded that since the policies did not define the operative terms “publication,” “unreasonable publicity,” or “disclose,” those terms would be given their plain and ordinary meaning. Citing common dictionaries, the court found that the tort alleged in the class action – i.e., exposing the plaintiffs’ medical records online – constituted publication, unreasonable publicity, and disclosure of the medical records even if the only individuals who actually saw the records were the plaintiffs. Thus, the court concluded, Travelers was required to provide a defense to Portal.

The Fourth Circuit upheld the trial court’s ruling, holding that the trial court correctly applied the Eight Corners Rule, particularly because “under Virginia law, an insurer’s duty to defend an insured is broader than its obligation to pay or indemnify an insured” and that “the insurer must use language clear enough to avoid ambiguity if there are particular types of coverage that it does not want to provide.”

Although the Fourth Circuit was interpreting Virginia law, most jurisdictions throughout the United States – including Utah – apply the Eight Corners Rule and, even where the rule is articulated differently, as in Colorado, courts universally hold that insurance companies have a broad duty to defend.

The ruling has significant implications for claims under existing or prior policies. First, companies that are or have been the target of cyberattacks likely have a strong claim that their existing general insurance policies cover any ensuing litigation related to the cyberattacks. Because a company may not discover that it was the target of a cyberattack until months or years afterwards, insurance companies will likely have to cover significant claims covered by current or prior policies for years to come.

Second, companies should pay close attention to the definitions and exclusions proposed by their insurance companies during negotiation of their policy renewals. As most policies are annual, insurance companies are likely to carefully define the exclusions to heed the Fourth Circuit’s admonition that they must clearly identify the types of data disclosures they intend to exclude from coverage. Given the increased frequency of cyberattacks, companies should bargain equally as hard for protection under their policies in the event they become the next victim of a data breach.

The case is Travelers Indemnity Co. of America vs. Portal Healthcare Solutions, L.L.C., Case No. 14-1944 (4th Cir. April 11, 2016).