As reported by Jeff Sistrunk, this week, the Court of Appeals for the Fourth Circuit will hear appellate arguments as to whether a Commercial General Liability (CGL) insurance policy provides coverage for a data breach:
The Fourth Circuit will hear arguments Thursday on whether Travelers must defend a medical records company against a class claim that its failure to secure a server caused records to be accessible to unauthorized users, a case experts say will have an impact on the availability of data breach coverage under commercial general liability policies.
Policyholders should hope that the Fourth Circuit’s rate of reversal – reported to be 4.2 percent for “Other U.S. Civil” and 7.3 percent for “Other Private Civil” cases – will give the insurance company an uphill battle to get the well-reasoned lower court decision reversed. The insurance industry must view this case as serious, seeing that two industry groups, according to Sistrunk, filed amicus briefs supporting the insurance company’s appeal.
What’s the case? It’s Travelers Indemnity v. Portal Healthcare Solutions, LLC, 35 F. Supp. 3d 765, 768 (E.D. Va. 2014), an insurance coverage case turning on whether a CGL insurance policy provides coverage for a data breach. Patient records had been published on the Internet and were searchable by different search engines. Portal sought coverage under two policies which would require “Travelers to pay sums Portal becomes legally obligated to pay as damages because of injury arising from (1) the ‘electronic publication of material that … gives unreasonable publicity to a person’s private life’ . . . or (2) the ‘electronic publication of material that … discloses information about a person’s private life.’” Id. at 767.
The parties disputed whether there was such injury and whether there was “publication.” The court found that publication had occurred because “exposing confidential medical records to public online searching placed highly sensitive, personal information before the public. Thus, the conduct falls within the Policies’ coverage for ‘publication’ giving ‘unreasonable publicity’ to, or ‘disclos[ing]’ information about, a person’s private life, triggering Travelers’ duty to defend.” Id. at 769. Specifically, the court found that making the patients’ information available through an Internet search engine amounted to a publication, even if the records were not intentionally exposed to public view. Id. at 770. Further, the court also found that it did not matter whether or not a third party had actually accessed the information, “[p]ublication occurs when information is ‘placed before the public,’ not when a member of the public reads the information placed before it. Id. at 771. Thus, the court found that publication occurred and the insurance company was to provide a defense to the underlying action. Id. at 772.
With little case law available regarding the scope of insurance coverage for a data breach, the trial court decision was a nice victory for policyholders. Let’s hope the Fourth Circuit agrees.
The author thanks Alex Barnstead for his assistance with this piece.