This week, a Fourth Circuit panel in an unpublished decision validated arguments long made by policyholders: that commercial general liability policies may provide coverage for certain data breach liabilities. In this case, Travelers Indemnity Company v. Portal Healthcare Solutions, the appellate court affirmed the district court’s 2014 ruling that an insurer had the duty to defend a company that provides electronic medical record management services in a class action alleging that the company made patients’ confidential records publicly accessible by posting the records to an unsecured public website.
The policyholder, Portal Healthcare Solutions, under a contract with a New York hospital for the storage and maintenance of its patients’ confidential medical records, arranged to store the records electronically. The records were allegedly not stored in a secure manner. Two patients discovered that their hospital records were publicly viewable through the first link returned by a Google search on their names. In 2013, the patients brought a class action suit in New York against Portal for negligent storage of confidential medical records.
Portal had coverage under the personal or advertising injury provisions of its commercial general liability policy for damages arising from “the electronic publication of material” that “gives unreasonable publicity to a person’s private life” or that “discloses information about a person’s private life.” In a declaratory judgment action initiated by the insurer, the Eastern District of Virginia granted summary judgment to Portal, holding that the insurer had a duty to defend Portal against the class action.
The Fourth Circuit affirmed the district court’s judgment on its reasoning. Portal’s alleged conduct of exposing medical records to online searching of a patient’s name fell within the plain meaning of “publication”: “to place before the public.” The court rejected the insurer’s arguments that (i) there was no publication, because Portal never intended to expose the records and (ii) there was no allegation that any unauthorized person actually accessed any of the records.
This week’s decision contrasts with an earlier decision of the Connecticut Supreme Court in Recall Total Information Management v. Federal Insurance Company, which we discussed last year. In that case, the Connecticut high court found no CGL coverage for claims arising from computer tapes containing employees’ personal information that fell off a van and were apparently taken by an unknown person. The district court in Portal Healthcare Solutions distinguished a single thief’s accessing the tapes in Recall from the posting of information on the internet before three billion people in Portal.
We have long asserted that there is coverage for certain data breach claims under the personal and advertising injury provisions of CGL policies. And while the Fourth Circuit’s decision validates that view, its impact may be limited. First, insurers will certainly argue that the facts of this unpublished decision—the posting of unsecured information on the internet—is different from situations in which hackers gain unauthorized entry to protected information. And, second, fewer and fewer policyholders are relying on CGL policies for coverage of data breach and cyber risks. For years now, insurers have marketed specialized cyber policies, in part by persuading policyholders that their CGL policies did not cover such risks, and by adding cyber exclusions to CGL policies. But even so, Portal may make a meaningful difference for insureds who do not have a cyber exclusion on their CGL policy if they don’t have any cyber insurance at all or if data breach litigation exhausts their cyber policy limits.