For policyholders and attorneys that have feared the lack of coverage for data breaches under traditional policies (CGL, property), a recent ruling suggest that it is not time to write off those policies as a potential source of coverage. Yesterday, the Fourth Circuit issued an opinion upholding a trial court ruling that Travelers had a duty to defend its insured, a medical records company, for a class action resulting from a massive data breach. While this Fourth Circuit ruling was unpublished, it should give policyholders hope because the Court used logic and well-founded law on the broad duty to defend in reaching a completely different ruling than the one reached by the New York trial court in Sony v. Zurich, and which settled on appeal.
The class action resulted from the public disclosure of electronic medical records that were kept on a server operated by Portal Healthcare. Two of the medical patient plaintiffs discovered that their medical records were publicly available on the Internet without any password protection when they Googled themselves – a harrowing discovery, to be sure. Plaintiffs alleged that Portal negligently failed to secure it server, which contained confidential records such that those records were freely available on the internet without a password.
Travelers filed a separate coverage action, contending that it did not owe Portal a duty to defend. Portal, in contrast, argued that there had been a potential publication of the records, entitling it to a defense. The trial court ruled with Portal on summary judgment, and the Fourth Circuit affirmed that ruling, holding that “the class-action complaint ‘at least potentially or arguably’ alleges a ‘publication’ of private medical information by Portal”, which would constitute conduct potentially covered under the CGL’s personal and advertising injury coverage provision.
It is about time for a ruling in favor of policyholders for information-related breaches. But there are also some questions about how broadly this opinion can be read. In addition to being unpublished, how far will other courts go in finding coverage under a CGL personal and advertising injury provision? Will courts find that the publishing of such information to somewhere other than the internet triggers a duty to defend? What if it is a hacker that publishes the information and not the server company? That would lead to the somewhat ridiculous scenario where a company storing such records is covered when it makes a mistake, but not if a nefarious actor is involved and hacks that same information.
Needless to say, this is a positive result for policyholders. And while the facts of the case may limit the scope of its impact, any pro coverage ruling related to the internet is good news. But this is yet another reminder that now is a good time to review your coverage portfolio – CGL, property insurance, cyber insurance – and understand the strengths and weaknesses of your coverage.