By: Daniel Knight
Earlier this month, the U.S. Circuit Court of Appeals for the Fourth Circuit affirmed a decision by the U.S. District Court for the Eastern District of Virginia in a case that could have both broad implications for commercial general liability insurance policies in the field of cyber liability and major caution signs for consumers. See Travelers Indem. Co. of Am. v. Portal Healthcare Sols., LLC, No. 14-1944 (4th Cir. Apr. 11, 2016). Over the past few years, cyber liability has made its way to the forefront of the insurance industry thanks, in part, to massive data breaches involving Target, Sony, JP Morgan, and The Home Depot, to name a few.
In April of 2013, a class action lawsuit was filed against Portal Healthcare Solutions, LLC (“Portal”), a company specializing in electronically safeguarding medical records for hospitals, clinics, and various other medical providers, alleging that Portal failed to safeguard the private and confidential medical records of patients at a hospital in Glen Falls, New York. See Travelers Indem. Co. of Am. V. Portal Healthcare Sols., LLC, 35 F. Supp. 3d 765 (E.D. Va. 2014). According to the class action complaint, two patients discovered that, upon Googling their names, the first hit was a direct link to their respective medical records. Furthermore, it appeared the private and confidential medical records were publicly available on the internet for at least 4 months.
During this time, Portal had two commercial general liability (CGL) insurance policies issued by Travelers Indemnity Company of America (“Travelers”). Both policies provided coverage for “publication” giving “unreasonable publicity” to, or “disclosing” information about, a person’s private life. Claiming that class action plaintiffs failed to allege publication by Portal, Travelers contested its obligations to defend Portal in the class action lawsuit.
According to the District Court, the Travelers CGL policies contained two prerequisites to coverage and thus defense: (1) there must be an electronic publication of material; and (2) the published materials must give “unreasonable publicity” to, or “disclose” information about, a person’s private life. In ruling in favor of Portal, the District Court found that a publication did occur. Turning to the plain meaning of the word “publication”, the Court found that exposing material to the online searching of a patient’s name does, “at least ‘potentially or arguably’” place those records before the public, thus constituting a publication. In so finding, the Court held that determining whether a publication occurred depended on neither the publisher’s intent nor whether the information was actually accessed by a third-party. Additionally, the District Court found that “posting medical records online without security restriction exposes the records to the general view” and thus satisfies the second requirement of giving publicity.
In awarding summary judgment to Portal, the District Court held that Travelers’ duty to defend Portal in the class action lawsuit was triggered. While the class action lawsuit is still pending, the District Court’s decision, as affirmed by the Fourth Circuit, has serious implications for CGL insurance in the field of cyber liability and data breaches. Generally speaking, CGL insurance policies do not provide coverage for third-party losses caused by cyber risks and data breaches on grounds that data is intangible and thus not property as defined by many CGL policies. As a result of the Portal case, a consumer whose private and confidential data has been published due to a data breach now has a possible claim under a CGL policy if the CGL policy provides coverage for electronic publication or disclosure as the Travelers policies did.
While the Portal case provides a possible path to recovery for a very limited class of data breach cases, it also warrants a word of caution to business owners and consumers alike. Specifically, insurance consumers should know that, due to the growing prevalence of data breaches and the loss of private and confidential information, insurers are actively re-working their CGL policies to exclude coverage for cyber liability risks. Businesses, small and large alike, need to have separate cyber liability insurance policies to make sure they are adequately protected.
For more information on this topic or any other important insurance issue, please contact attorney Daniel Knight at (919) 277-2541 or by email, DKnight@andersonandjones.com
This summary is for informational purposes only and does not constitute legal advice or opinion.