Commercial General Liability policies have, for several decades, included advertising and personal injury coverage. Such coverage is afforded for injury caused by various enumerated offenses, including breach of privacy. Although the precise terms of CGL policies vary, under some policies covered offenses include publication of material that discloses information about, or gives unreasonable publicity to, a person’s private life. What it means to advertise or publish often gives rise to disputes between insurers and their policyholders, with insurers often arguing that these terms require widespread and intentional dissemination of information by a policyholder. On April 11, 2016, the Fourth Circuit Court of Appeals held otherwise, concluding that when private data can be retrieved from the Internet, it constitutes “publication,” triggering an insurer’s duty to defend even where there is no allegation that the policyholder publicized the data and/or that the data was actually accessed by the public. As Joe Fields, the Insurance Coverage Group's Special Counsel reported to Law360 (Insurance), the ruling bolsters policyholders' claims for coverage given the Court’s express finding that, when private data can be retrieved from a public server, there has been a publication.
When patients found their private medical records online following their own Google search, they filed a class action lawsuit against Portal Healthcare Solutions, LLC, alleging that Portal was liable for posting confidential medical records on the Internet. Portal sought a defense from its insurer, Travelers Indemnity Co. of America, who instead sued Portal in the Eastern District of Virginia (No. Civ. 1:13-cv-917 (GBL)), seeking a declaration that it owed no coverage to Portal for the class action. Both Portal and Travelers moved for summary judgment as to Travelers’ defense obligations. Travelers argued that “publication” involved more than placing the private information before the public, noting that no third party was alleged to have viewed the information. The District Court observed that publication was not a defined term in Travelers’ policies. They provided, however, that Travelers was legally obligated to pay damages due to injury arising from (1) the “electronic publication of material that ... gives unreasonable publicity to a person’s private life” (the language found in the 2012 policy) or (2) the “electronic publication of material that ... discloses information about a person’s private life” (the language found in the 2013 policy). The Court explained that under Virginia law, the duty to defend is broader than the duty to indemnify, and observed that an insurer’s coverage obligations can be discerned by comparing its policy’s provisions to the allegations of the complaint. In so doing, the District Court explained that the policies contain two relevant prerequisites to coverage. First, the policies require an electronic publication of material. Second, they require that the published material give “unreasonable publicity” to, or “disclose” information about, a person’s private life. Using this framework, the Court found that publication occurs when information “is placed before the public” and that the policies contained no requirement that third parties access it. The District Court therefore granted Portal’s motion for summary judgment.
The Fourth Circuit affirmed in a written opinion adopting the reasoning of the District Court. The Court of Appeals noted the “sound legal analysis” employed by the District Court, and explained that Travelers’ efforts to parse alternative dictionary definitions of publication could not absolve it of its duty to defend Portal. The Court of Appeals, indeed, reminded that when construing insurance policies’ terms, courts must resolve all doubt as to their meaning in favor of an interpretation which grants coverage, not withholds it.
The takeaway here is that all companies should evaluate the extent to which their insurance programs contain data breach coverage before an actual or suspected breach occurs. Notwithstanding the Fourth Circuit’s ruling, law in this area remains fact-specific and mixed. Moreover, some insurers have issued policy endorsements limiting personal and advertising injury coverage for offenses relating to breach of privacy and disclosure of confidential information. Many insurers also offer cyber policies and endorsements to respond to these types of risks. If you have questions or concerns, McCarter & English’s Cybersecurity and Data Privacy Task Force is happy to help. McCarter & English’s Insurance Coverage Group also regularly reviews insurance policies to evaluate the scope of existing coverage relative to cybersecurity and data breach risks.