On Monday, April 11, 2016, the Fourth Circuit upheld the decision of a Federal Court in Virginia requiring an insurer to defend its insured in a class action relating to its failure to maintain the security of certain patient medical records. Surprisingly, the insurance policies at issue were traditional General Liability policies (not cyber policies) and there was no third party breach of the insured’s data or network.
Portal, the insured, provided online storage of medical records to its hospital clients and allegedly exposed certain patient medical records to unsecured online searching. This was revealed when a couple of patients stumbled upon their medical records while Googling themselves. These patients brought a class action against Portal, but its insurer, Travelers, denied coverage and refused to defend Portal in the class action. The Travelers CGL policies provided coverage for, among other things, “electronic publication of material that …discloses information about [or gives unreasonable publicity to] a person’s private life."
While the policy didn't define “publication,” the Court determined that making confidential records publicly accessible via Internet searches falls within the plain meaning of “publication.” Further, the Court held that those records were “disclosed” the minute they were posted publicly online, regardless of whether a third party actually viewed them.
Critics will note that this decision is inconsistent with other recent decisions that have found no coverage for data breaches under traditional CGLs. That said, each case ultimately turns on its own particular facts. The policies in this case were CGLs from 2012 and 2013. With the proliferation of cyber exclusions being incorporated into newer CGL policies, it’s certainly becoming more challenging to argue coverage for data breaches in CGL policies. But, as this case shows, it’s important to carefully evaluate every policy in the event of an occurrence. While the policies are constantly changing, so is the legal landscape addressing coverage for data incidents.