Apr 252016

Fourth Circuit Affirms Duty to Defend Online Data Breach Allegations

Andrew R. Holland, Jonathan Kelly and Laura Wilson-Youngblood
, , ,

In Travelers Indemnity Company of America v. Portal Healthcare Solutions, LLC, No. 14-1944 (4th Cir. Apr. 11, 2016), the U.S. Court of Appeals for the 4th Circuit affirmed the judgment on the reasoning of the federal district court in Virginia (No. 1:13-cv-00917-GBL-IDD), holding that Travelers had a duty to defend Portal in an underlying class action alleging online publication by Portal of confidential patient medical information pursuant to two commercial general liability (CGL) policies Travelers issued to Portal in 2012 and 2013.

The CGL policies provide coverage in the event of “electronic publication of material that…gives unreasonable publicity to a person’s private life” (2012 policy language) or the “electronic publication of material that…discloses information about a person’s private life” (2013 policy language). The court’s analysis in determining Travelers’ duty to defend hinged on the existence of two prerequisites to coverage: (1) there was an electronic “publication” of material and (2) the published material gave “unreasonable publicity” to (2012 policy language) or “disclose[d]” information about (2013 policy language) a person’s private life.

With respect to the first prerequisite to coverage, the court noted that Travelers did not define the term “publication” in either the 2012 or 2013 policy, and therefore adopted the definition, “to place before the public (as through a mass medium)” as the plain and ordinary meaning of the term. The court reasoned that Portal’s alleged exposure of medical records to an online search of a patient’s name and a click on the first link to appear at least “potentially or arguably placed those records before the public”, constituting a “publication” for the purposes of the policy, regardless of whether such exposure was intentional or unintentional. Additionally, the court determined that actual third party access or viewing of the information was not a requisite component of a “publication”, and that the medical records were published as soon as the public was able to access them by searching online. Significantly, there was a “publication” of the information to anyone with internet access under the claims alleged even if no one but the patient actually viewed her medical records as a result of their online exposure.

With respect to the second prerequisite to coverage, the court adopted a similarly broad interpretation of “disclosure” under the 2013 policy language, using the definition “[t]he act or process of making known something that was previously unknown; a revelation of facts” to determine that, even if no third party viewed the medical records, they had still been “disclosed” under the claims alleged because Portal engaged in the “process of making previously unknown records suddenly known to the public at large” when it posted them online with unrestricted access. With respect to its analysis of the 2012 policy language, the court used, “the quality or state of being obvious or exposed to the general view” as the definition of “publicity” to find that posting medical records online without restriction, thereby enabling anyone to access them, gave “unreasonable publicity” to patients’ private lives, irrespective of whether Portal made any efforts to draw attention to such medical records.

Especially of note in the court’s analysis of Travelers’ policy language is its suggestion that an insured’s creation of the opportunity for third party access to confidential information via an alleged online data breach is sufficient to trigger liability under the policy. In assessing the import of this case, it should be noted that the duty to defend is generally broader than the duty to indemnify. Specifically, the court’s holding is that the grounds for liability alleged in the class-action complaint were “potentially or arguably covered by the policy”, therefore triggering Travelers’ duty to defend under Virginia law. However, the broad interpretation that the court afforded to Travelers’ policy language is a significant indication of potential liability to indemnify claims of this nature. Insurers may wish to use the interpretation of the policy language that the court provided in this case as guidance in drafting CGL policy language moving forward to avoid any ambiguities that may be interpreted to provide unintended coverage in this context.

 

Andrew R. Holland

New York

aholland@sidley.com

Jonathan Kelly

New York

jjkelly@sidley.com

Laura Wilson-Youngblood

lwilson-youngblood@sidley.com

You might also like
New EU Cyber Law for the Financial Services Industry with Significant Impact on ICT Service Providers

The new EU Regulation on Digital Operational Resilience for the Financial Sector (DORA) recently entered into force. DORA establishes cybersecurity requirements for information and communication technology (ICT) systems supporting the business processes of financial entities and represents a paradigm shift for the ICT sector.  Critical ICT third-party service providers, who are providing services to regulated financial entities, will also be directly regulated under DORA and subject to regulatory supervision by a regulator to be established under DORA (a so-called ‘Lead Overseer’).

Washington State Enacts My Health My Data Act, Broadly Regulating Health-Related Data With a Private Right of Action

On April 27, 2023, Washington Gov. Jay Inslee, a Democrat, signed into law the state’s My Health My Data Act (the Act), which will become effective on March 31, 2024 (June 30, 2024, for small businesses). Despite its name, this is a comprehensive privacy bill that will affect many entities, including those outside of the traditional “health” context. The rights and obligations may apply to individuals other than Washington residents, as the law defines consumers as including persons whose data is merely collected or otherwise processed in the state.

Regulatory Update: National Association of Insurance Commissioners Spring 2023 National Meeting
The National Association of Insurance Commissioners (NAIC) held its Spring 2023 National Meeting (Spring Meeting) March 21–25, 2023. This Sidley Update summarizes the highlights from this meeting in addition to interim meetings held in lieu of taking place during the Spring Meeting. Highlights include continued development of accounting principles and investment limitations related to certain types of bonds and structured securities, continued discussion of considerations related to private equity (PE) ownership of insurers, new initiatives to address innovation and technology in the insurance sector, and continued development of a new consumer privacy protections model law.