Cyber insurance policies are often considered the “last line of defense” against cybersecurity incidents, but companies should keep in mind that their traditional commercial general liability (“CGL”) insurance policies are a potentially valuable, yet often overlooked, insurance asset in the event of a data security breach. In last week’s decision in Travelers Indemnity Company of America v. Portal Healthcare Solutions, L.L.C.,1 the Fourth Circuit affirmed a district court’s ruling that a class action lawsuit arising out of a data security breach triggered an insurer’s duty to defend under a CGL policy’s “Advertising Injury” coverage section. While CGL policies are no substitute for certain of the coverages included in cyber policies for notification costs, crisis management losses, and forensic investigations, the Fourth Circuit’s ruling confirms that traditional CGL policies may cover defense costs, settlements, and judgments arising out of data privacy lawsuits.