This article courtesy of guest blogger Alfonso Nardi, a student at Roger Williams University School of Law
Commercial General Liability policies (CGL) typically do not include data protection loss coverage, although some insurers offer additional data protection endorsements. Normally those additional endorsements only cover data losses caused by physical damage. That means, if your employee damages a server that stores client or patient data, that could trigger coverage. It would not, however, cover the same employee accidentally releasing client/ patient data, or loss from ransomware or other malware. In a recent case., the parties were in dispute whether the insurance company had a duty to defend the insured against class-action allegations that the insured posted patient data on the internet. In April, a federal appeals court in Virginia upheld a lower court ruling that a CGL policy may cover the underlying data breach. This opposes two State court cases in New York and Connecticut which held that CGL policies generally do not require a duty to defend in the instance of cyber-attacks.