The Fourth Circuit Court of Appeals affirmed a Virginia Federal District court’s decision that examined the language of a commercial general liability (CGL) policy and held that an insurance carrier was required to defend its insured medical records company in a class-action lawsuit when its insured inadvertently published private patient medical records on the Internet. See Travelers Indem. Co. of Am. v. Portal Healthcare Sols., L.L.C., No. 14-1944 (4th Cir. Apr. 11, 2016).

Both the Virginia District Court and the Fourth Circuit rejected the insurance company’s argument that there cannot be a “publication” unless its insured intended to communicate information to others. In so doing, the courts reasoned that the insurance carrier had a duty to defend because its CGL policy did not provide clear enough language as to what conduct constituted a “publication.”

This decision shows that there may be coverage for data breaches outside of the policies written specifically for data breach scenarios, i.e., cyber liability insurance policies. To this extent, the Travelers opinion should be limited to inadvertent publications by an insured, rather than a hacker breaking into a network and then publishing information on the Internet.