Insurance companies issuing commercial general liability (CGL) policies are undoubtedly taking note of a recent noteworthy, though unpublished, federal appeals court decision. In April 2016, a federal appeals court in Virginia upheld a lower court’s ruling that a CGL policy may cover a data breach. The decision centered on the interpretation of policy language that the court said should be construed broadly. The ruling will likely cause insurers to scrutinize coverage language more closely and revise future policy definitions. For insureds, the decision should prompt a second look at policy language to determine whether a data breach arguably falls within the scope of coverage. The case, Travelers Indemnity Company of America v. Portal Healthcare Solutions, L.L.C. (https://www.scribd.com/doc/308033367/Travelers-v-Portal-Healthcare-Fourth-Circuit-Court-of-Appeals) (hereinafter referred to as “Portal Healthcare“), is at odds with other recent state court decisions.
The factual prompt for the suit was a class-action lawsuit brought by a patients of a hospital whose confidential medical records were publicly posted online by the hospital’s electronic record-keeping service, Portal Healthcare Solutions (“Portal”). Portal tendered the matter under the two separate but substantially identical CGL policies issued by Travelers. In a declaratory relief action, Travelers argued data breach was not covered under the policies, but the District Court for the Eastern District of Virginia in Alexandria ruled that Travelers had a defense obligation under its Personal and Advertising Injury coverage section of the policies. The policies language obligated coverage because of an advertising or website injury arising from the “electronic publication of material that…gives unreasonable publicity to a person’s private life” or “the electronic publication of material that discloses information about a person’s private life.”
Travelers argued that the action of posting the medical records online was not a “publication” within the meaning of the policy because it could not be proven that the records were actually viewed by a third-party. The lower court and appellate court rejected this narrow and “pars[ing]” definition of publication. The appellate court also held that the class-action complaint by the patients, “at least potentially or arguably alleges a publication of private medical information” and that the conduct if proven, would have given unreasonable publicity to and disclosed information about the patients’ private lives. The court determined that any doubt in the meaning of the word “publication” should be interpreted in a manner that grants coverage rather than withholds it.
The lower court’s opinion distinguished a Connecticut case which ruled that a CGL policy did not cover the loss of computer tapes that contained personal information. See Recall Total Info. Mgmt. Inc. v. Fed. Ins. Co., 83 A.3d 664 (Ct. App. Conn. 2013). In that case, computer tapes fell out of the back of a van, were taken by an unknown person, and never recovered. Id. at 667. This fact pattern was distinguished because it involved a single thief and no allegation that the stolen information had been placed on the internet. In the Portal Healthcare case, the court stressed that the facts alleged “potentially or arguably” constituted “publication.”
While insurers offer policies specifically addressing cyber liability and data breach, these policies can often be cost-prohibitive and/or scarce. Business owners should consult with their legal counsel to look closely at the terms of the business’ CGL policies to determine whether they may potentially or arguably cover data breaches. The exorbitant cost of defending a data breach lawsuit, especially a class-action suit, may justify a declaratory relief action against a CGL carrier to determine the claims trigger a defense obligation. All companies should evaluate their cyber risks and exposures to make an informed decision about whether cyber liability insurance coverage is worth it. Despite the holding in Portal Healthcare, securing coverage for data breach incidents under a CGL policy is still an uphill battle.
Michael Hellbusch is a privacy and cyber liability attorney at TLDlaw. He is a member of the Sedona Conference’s Working Group 11 on Data Security and Privacy Liability and International Association of Privacy Professionals.