In Travelers Indemnity Co. of America v. Portal Healthcare Solutions, LLC, the Fourth Circuit Court of Appeals reverses the recent trend of insurance companies avoiding any liability for data breaches under commercial general liability (CGL) insurance policies.

On April 11, 2016, the Fourth Circuit affirmed a lower court ruling, holding that an insurance company has a duty to defend a policyholder under the terms of the CGL policy against allegations that the policyholder posted confidential medical information on the Internet.

Two years ago, two individuals filed a class-action complaint alleging that Portal Healthcare Solutions engaged in conduct that resulted in their private medical records being available on the Internet to anyone who “Google” searched for the patient’s name and clicked on the first result. At the time, Portal was insured under two substantially similar CGL policies with Travelers Indemnity Co.

The CGL policies contained language obligating Travelers to pay sums Portal becomes legally obligated to pay as damages because of an injury arising from (1) the “electronic publication of material that … gives unreasonable publicity to a person’s private life” or (2) the “electronic publication of material that … discloses information about a person’s private life.” Travelers sought a declaration that Travelers was not obliged to defend Portal under the CGL policies, but lost on summary judgment and most recently on appeal to the Fourth Circuit.

The Fourth Circuit, in an unpublished opinion, agreed with the reasoning of the District Court for the Eastern District of Virginia. The lower court determined that making confidential medical records publicly accessible through an Internet search placed those records before the public, and thus constituted “publication” of electronic material, satisfying the first prerequisite of the CGL policies. Further, the lower court held that posting the confidential medical records online without security restriction gave “unreasonable publicity” to and “disclose[d] information” about a person’s private life, satisfying the CGL policies’ second prerequisite to coverage.

While the decision is favorable to policyholders, companies should not rely on this decision or, in many cases, on their CGL policies to provide coverage in the event of a data breach. As the Fourth Circuit pointed out, although ambiguities in insurance policies are generally construed in favor of the insured, insurers may exclude certain types of coverage under CGL policies. Many CGL policies contain express language excluding losses related to data breaches.

All companies should review their current CGL policy to determine whether it provides coverage in the event of a data breach, or consider obtaining separate cyber insurance coverage.