The United States Court of Appeals for the Fourth Circuit recently affirmed a decision by the United States District Court for the Eastern District of Virginia, Alexandria Division (District Court), finding that Travelers Indemnity Company of America (Travelers) had a duty to defend Portal Healthcare Solutions, LLC (Portal) under commercial general liability (CGL)policies in relation to an alleged data breach event. See Travelers Indem. Co. of Am. v. Portal Healthcare Sols., No. 14-1944 (4th Cir. Apr. 11, 2016) (unpublished). This is a significant decision because it is one of the few appellate decisions addressing coverage under CGL policies for cyber events.
Travelers insured Portal under two CGL policies that were in effect from January 2012 to January 2013 (2012 Policy) and January 2013 to January 2014 (2013 Policy) (collectively, Policies). Portal specialized in the electronic safekeeping of medical records for hospitals and other medical providers. After it was discovered that Portal had inadvertently posted confidential medical records on the Internet without password protection, the owners of the medical information initiated a class action against Portal.
Portal sought insurance coverage from Travelers for the cyber claim under the Policies. Suit was filed, and the parties filed cross-motions for summary judgment regarding whether Travelers had a duty to defend Portal under the Policies. Proceeding under Virginia law and in light of Virginia’s Eight Corners Rule (under which the duty to defend is determined by the four corners of the complaint in relation to the four corners of the policy), the District Court denied Travelers’s motion and granted Portal’s motion, ruling that Travelers had a duty to defend Portal. The Fourth Circuit affirmed the decision in its unpublished opinion issued April 11, 2016.
In making its coverage determination, the District Court considered the Policies’ language requiring injury arising from “electronic publication of material that … gives unreasonable publicity to a person’s private life” (2012 Policy) or the “electronic publication of material that … discloses information about a person’s private life” (2013 Policy). The District Court held that “exposing confidential medical records to online searching is ‘publication’ giving ‘unreasonable publicity’ to, or ‘disclosing’ information about, a person’s private life.”
In reaching its decision, the District Court considered Recall Total Info. Mgmt. Inc. v. Fed. Ins. Co., 147 Conn. App. 450, 83 A.3d 664 (Ct. App. Conn. 2013) (aff’d Recall Total Information Mgmt., Inc. v. Federal Ins. Co., SC19201 (Conn. May 18, 2015)). Recall Total was responsible for transporting and storing data tapes containing confidential information. During transport, one of the crates containing private information fell off the transport vehicle. Affirming the trial and intermediate appellate courts, the Connecticut Supreme Court held that absent factual support that the private information was actually accessed, the loss of the tapes did not rise to the level of a publication. In Portal, the District Court distinguishedRecall Total because the information in Portal was posted on the Internet where anyone could access it versus the situation where limited persons could have accessed the fallen crate in Recall Total.
Ultimately, the District Court held that Travelers’s duty to defend was triggered because the allegations in the complaint were “potentially or arguably covered by the policy.” In a succinct opinion, the Fourth Circuit affirmed the District Court’s decision agreeing that Travelers had a duty to defend Portal. Dismissing Travelers’s reliance on dictionary definitions, the Fourth Circuit fell back on the general rule that where there is doubt as to the meaning of policy terms, the court should find in favor of coverage.
Although not considered in Portal, Zurich Am. Ins. v. Sony Corp. of Am., No. 651982/2011 (NY Sup. Ct. Feb. 21, 2014), is another one of the few related cyber decisions addressing coverage for a data breach under a CGL policy. In Sony, a New York trial court granted summary judgment in favor of Zurich American, holding that acts by third-party hackers, versus acts by the insured, do not constitute “oral or written publication in any manner of the material that violates a person’s right of privacy” under personal and advertising injury coverage in a CGL policy. The decision was appealed, but a settlement was reached before an appellate decision was rendered. In Portal, the insured was accused of the data breach, and inSony, a third party was accused, but Sony illustrates the range of interpretation of the term “publication” under personal and advertising injury coverage.
While cyber policies have been created to fill the insurance gap for data breach incidents, there are naturally limitations to such coverage as well. For example, in Travelers Property Casualty Co. of America v. Federal Recovery Servs., Inc., Case No. 2:14-CV-170 TS (D. Utah May 11, 2015), the court held that there was no coverage under a cyber policy due to allegations in the complaint that the insured had acted knowingly, willfully and intentionally. In Portal where there was no apparent intentional act, a cyber policy may have provided coverage. Therefore, the Fourth Circuit’s expansion of CGL coverage has the potential to cause overlap in coverage and unintended confusion when companies are insured under both CGL and cyber policies.
While coverage for data security breaches may be barred by exclusions added to more recent CGL policies, the Portal decision remains significant for coverage determinations under earlier CGL policies. Although CGL policies were not intended to cover cyber risks and the extent of such risks were not known until recent years, the Portal decision illustrates that there may be coverage nonetheless. If courts follow the Portal line of reasoning instead of the Recall Total rationale, then inadvertent online information posts can widely trigger CGL coverage. Regardless, companies will continue to need cyber insurance moving forward due to the rapidly developing changes in this insurance area and the increasing exclusions being added to CGL policies for data breach.