Fourth Circuit Finds Coverage for Data Breach Class Action in CGL Policy

On April 11, 2016, the Fourth Circuit Court of Appeals held, in an unpublished opinion, that The Travelers Indemnity Company of America was required to provide a defense for its insured, Portal Healthcare Solutions, LLC, for an underlying data breach class action filed against Portal by customers whose private medical information was posted on the internet. While this case does not establish any binding precedent and may not be applicable more broadly, it is likely to encourage policyholders to continue looking for cyber coverage in standard CGL insurance policies.

In the underlying class action, filed in New York, plaintiffs alleged that Portal unwittingly allowed access to the medical records of patients at Glen Falls Hospital by posting them on the internet. Two patients at Glen Falls discovered that when they googled their own names, one of the results was a link that provided full access to their medical records. Portal was the vendor responsible for electronically storing medical records for Glen Falls.

At issue were provisions in a CGL policy issued for two successive years by Travelers to Portal. The policy in effect during the first policy year stated that Travelers would indemnify Portal for sums that Portal becomes legally obligated to pay as damages because of injury arising from the “electronic publication of material that…gives unreasonable publicity to a person’s private life.” The policy in effect during the second policy year contained slightly different language, referring to the “electronic publication of material that…discloses information about a person’s private life.” Both Travelers and Portal moved for summary judgment on the issue of whether Travelers was obligated to defend Portal in the class action. The primary issue was whether there was an electronic “publication” of material, and whether that electronic publication gave “unreasonable publicity” to, or “disclosed” information about, a person’s private life.

The Fourth Circuit Court of Appeals, in reaching the conclusion that Travelers was obligated to defend Portal, adopted the reasoning of the lower court. The lower court rejected Travelers’ argument that there was no publication because Portal did not intend to publish the medical records. The court concluded that the would-be publisher’s intent is not relevant and an unintentional publication is still a publication. The lower court also rejected Travelers’ argument that there was no publication because there was no allegation that a third party actually viewed the information. According to the court, “[p]ublication occurs when information is ‘placed before the public,’ not when a member of the public reads the information placed before it.”

The lower court also found, and the Court of Appeals agreed, that the “public availability of a patient’s confidential medical records gave ‘unreasonable publicity’ to the patient’s private life’ and ‘disclosed’ information about the patient’s private life, satisfying the Policies’ second prerequisites to coverage.” The court noted that making records available to the public on the internet was both “publicity” and a “disclosure” based on the dictionary definitions of those words, regardless of the fact that no third party allegedly viewed the records. Based on those findings, the lower court ordered Travelers to provide a defense to Portal.

It is noteworthy that neither of the two policy provisions at issue is a standard ISO form provision. However, the same analysis could arguably be applied to the standard ISO definition of “personal and advertising injury,” which includes “oral or written publication, in any manner, of material that violates a person’s right of privacy.” The 2013 ISO revisions to the Commercial General Liability forms contain an optional endorsement deleting this particular offense from the definition of “personal and advertising injury.” In addition, ISO has introduced endorsements that exclude damage arising from the disclosure of personal information, including health information, from the coverage provided under CGL policies.

In the short term, this decision will likely continue to encourage policyholders to look to traditional CGL policies for coverage for data breaches. However, the fact that Portal is a non-precedential opinion, analyzing non-standard provisions, in policies that apparently did not contain available endorsements designed to exclude coverage for data breaches under traditional CGL policies, means that this case is not likely to cause any paradigm shift in the area of insurance coverage for cyber and data risks.

Feel free to direct questions or comments to Nace Naumoski at (484) 344-5345 or