In Travelers Indemnity Co. of America v. Portal
Healthcare Solutions, LLC, the Fourth Circuit Court of
Appeals reverses the recent trend of insurance companies avoiding
any liability for data breaches under commercial general liability
(CGL) insurance policies.
On April 11, 2016, the Fourth Circuit affirmed a lower court
ruling, holding that an insurance company has a duty to defend a
policyholder under the terms of the CGL policy against allegations
that the policyholder posted confidential medical information on
the Internet.
Two years ago, two individuals filed a class-action complaint
alleging that Portal Healthcare Solutions engaged in conduct that
resulted in their private medical records being available on the
Internet to anyone who "Google" searched for the
patient's name and clicked on the first result. At the time,
Portal was insured under two substantially similar CGL policies
with Travelers Indemnity Co.
The CGL policies contained language obligating Travelers to pay
sums Portal becomes legally obligated to pay as damages because of
an injury arising from (1) the "electronic publication of
material that ... gives unreasonable publicity to a person's
private life" or (2) the "electronic publication of
material that ... discloses information about a person's
private life." Travelers sought a declaration that Travelers
was not obliged to defend Portal under the CGL policies, but lost
on summary judgment and most recently on appeal to the Fourth
Circuit.
The Fourth Circuit, in an unpublished opinion, agreed with the
reasoning of the District Court for the Eastern District of
Virginia. The lower court determined that making confidential
medical records publicly accessible through an Internet search
placed those records before the public, and thus constituted
"publication" of electronic material, satisfying the
first prerequisite of the CGL policies. Further, the lower court
held that posting the confidential medical records online without
security restriction gave "unreasonable publicity" to and
"disclose[d] information" about a person's private
life, satisfying the CGL policies' second prerequisite to
coverage.
While the decision is favorable to policyholders, companies should
not rely on this decision or, in many cases, on their CGL policies
to provide coverage in the event of a data breach. As the Fourth
Circuit pointed out, although ambiguities in insurance policies are
generally construed in favor of the insured, insurers may exclude
certain types of coverage under CGL policies. Many CGL policies
contain express language excluding losses related to data
breaches.
All companies should review their current CGL policy to determine
whether it provides coverage in the event of a data breach, or
consider obtaining separate cyber insurance coverage. Womble
Carlyle can assist companies in reviewing existing policies to
determine what coverage has already been obtained or where gaps in
coverage may exist and in offering solutions to potential cyber
liabilities.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.