Just as the famous 1897 New York Sun editorial playfully reassured the skeptical eight-year-old Virginia, so too a recent Fourth Circuit decision should reassure policyholders in Virginia (and nationwide). Despite insurers’ skepticism, general liability insurance may in fact cover cyber events.
On April 11, the U.S. Court of Appeals for the Fourth Circuit handed down one of the first appellate-level decisions dealing with insurance coverage for a cyber event. The Fourth Circuit confirmed that a commercial general liability insurer was obligated, under the policy’s “personal and advertising injury” coverage, to defend its insured against a class-action lawsuit arising out of the inadvertent posting of patient medical records on the Internet. The decision is an important victory for policyholders because it validates a position against which insurers have aggressively fought for the past several years—coverage for cyber events is not only available under specialized “cyber” policies, but may also be obtained under traditional commercial policies.
The case, The Travelers Indemnity Company of America v. Portal Healthcare Solutions, LLC, involved a company specializing in maintaining and safeguarding medical records for hospitals, clinics and other health care providers. In 2013, two patients of an upstate New York hospital discovered that their confidential hospital records were publicly accessible on the Internet. When each of the patients entered her name into Google’s search engine, the first result that came up was a link to a file containing her treatment history, lab data, medications, examination results and other private information. The patients filed a putative class-action against Portal, which had been engaged by the hospital to provide electronic storage and maintenance of patients’ medical records. The suit alleged that, due to Portal’s negligence, its server had been left “open” and personal data and health information belonging to over 2,300 hospital patients was made available to the public to view, copy and download without restriction.
In ensuing coverage litigation with Portal’s general liability insurer, the U.S. District Court for the Eastern District of Virginia construed the policies under Virginia law and acknowledged the broad scope of the duty to defend. The court held that personal and advertising injury coverage was potentially triggered because (1) an unauthorized “publication” of private information had occurred when Portal allegedly negligently allowed the medical records to be accessible through the Internet, and (2) the publication resulted in a “disclosure” to all Internet users of information that was previously unknown to the public. The court reached these conclusions despite the fact that the plaintiffs did not allege that anyone other than themselves had accessed their private medical records. The Fourth Circuit agreed, holding that the insurer must defend Portal because the complaint alleged that “any member of the public with an Internet connection could have viewed the plaintiffs’ private medical records during the time the records were available online.”
Policyholders should consider the following takeaways from the Portal case:
- Victims of a cyber attack or data breach should examine all of their potentially applicable insurance policies. In addition to specialized cyber policies, general liability, errors and omissions, crime, first-party property and business interruption, and other types of policies may provide coverage. With respect to third-party liability policies, the duty to defend is exceedingly broad in most jurisdictions; and
- Portal dealt with a claim arising from a company’s alleged negligence that allowed private information to be published online. We can expect insurers to argue that Portal should be limited to those facts, and that general liability coverage does not extend to criminal cyber attacks in which the insured is victimized by the acts of others.
Coverage for cyber claims, under both “traditional” and cyber policies, continues to be an evolving area of law. Policyholders should continue to expect strong resistance from insurers when it comes to providing coverage for a cyber event under traditional commercial policies.