In a decision issued April 11, the Fourth Circuit added to a small but growing body of case law across the country finding coverage for cyber claims under traditional general liability insurance policies. In Travelers Indemnity Co. v. Portal Healthcare Solutions, LLC, No. 14-1944, − F. App’x − 2016 WL 1399517 (4th Cir. April 11, 2016), the court affirmed a federal district court’s ruling that Travelers Indemnity Company of America (“Travelers”) must defend its insured, Portal Healthcare Solutions, LLC (“Portal”), in a putative class-action lawsuit alleging that Portal published the plaintiffs’ private medical records on the Internet.
The underlying lawsuit against Portal was filed by plaintiffs Dara Halliday and Teresa Green in New York state court. The plaintiffs alleged that Portal had allowed their private medical records to remain on an unsecured server for several months, making them publicly available on the Internet for anyone to see. Portal was insured under two insurance policies issued by Travelers – one spanning the period from January 2012 to January 2013, and another spanning from January 2013 to January 2014. The policies covered Portal for damages caused by “electronic publication of material that ... gives unreasonable publicity to a person’s private life” or the “electronic publication of material that ... discloses information about a person’s private life.”
Travelers filed a lawsuit against Portal in the Eastern District of Virginia, seeking a declaration that it was not obligated to defend Portal against the underlying New York putative class-action claims. Travelers argued that the complaint failed to allege a covered publication by Portal for two reasons: First, Travelers argued that “publication” under the policy required intentional publication, rather than mere inadvertent disclosure. Second, Travelers contended that there was no “publication” because the underlying complaint did not allege that anyone, other than the plaintiffs, actually viewed the medical records online. The district court rejected these arguments, finding that exposing confidential medical records to online searching is “publication” giving “unreasonable publicity” to, or “disclos[ing]” information about, a person’s private life, and holding that Travelers was duty bound under the policies to defend Portal against the class-action complaint.
The Fourth Circuit affirmed in an unpublished, per curiam opinion. The court emphasized that the district court had correctly applied the “eight corners rule” – which looks to the terms of the policy and the allegations in the complaint – to determine whether Travelers had a duty to defend. Turning to the “publication” issue, the court noted its agreement with the district court’s conclusion that the class-action complaint “at least potentially or arguably” alleged a “publication” of private medical information by Portal that constituted conduct covered under the applicable policies and affirmed the district court’s ruling that Travelers was required to defend Portal against the New York class-action complaint.
Some may argue that the decision in Portal is “too little, too late.” It can arguably be seen as “too little,” in that there remains a divergence in the case law that encourages strategic insurer claim denial (particularly in jurisdictions that lack a robust policyholder remedy for insurer bad faith). For example, insurers continue to rely on the ill-reasoned trial court decision in Zurich American Insurance Company v. Sony Corp. of America, where the New York trial court held that there was no coverage unless the “publication” was made by the policyholder, rather than hackers. The fact that the decision is unreported further limits its potential precedential impact. The decision may also arguably be seen as “too late,” in that the insurance industry has promulgated endorsements that are intended to minimize or eliminate the potential for cyber-breach coverage under general liability policies.
Nevertheless, the Fourth Circuit’s decision in Portal is noteworthy for at least two reasons. First, the court’s broad reading of the policy term “publication” will benefit policyholders seeking coverage for data breach claims involving inadvertent disclosure of information. Second, the decision underscores the importance of considering the possibility of coverage for cyber events under traditional policies – such as commercial general liability, directors and officers, and errors and omissions policies – despite efforts by the insurance industry to exclude cyber claims from traditional policies and force insureds to purchase dedicated cyber coverage.