Fourth Circuit Affirms Duty to Defend Online Data Breach Allegations

In Travelers Indemnity Company of America v. Portal Healthcare Solutions, LLC, No. 14-1944 (4th Cir. Apr. 11, 2016), the U.S. Court of Appeals for the 4th Circuit affirmed the judgment on the reasoning of the federal district court in Virginia (No. 1:13-cv-00917-GBL-IDD), holding that Travelers had a duty to defend Portal in an underlying class action alleging online publication by Portal of confidential patient medical information pursuant to two commercial general liability (CGL) policies Travelers issued to Portal in 2012 and 2013.

The CGL policies provide coverage in the event of “electronic publication of material that…gives unreasonable publicity to a person’s private life” (2012 policy language) or the “electronic publication of material that…discloses information about a person’s private life” (2013 policy language). The court’s analysis in determining Travelers’ duty to defend hinged on the existence of two prerequisites to coverage: (1) there was an electronic “publication” of material and (2) the published material gave “unreasonable publicity” to (2012 policy language) or “disclose[d]” information about (2013 policy language) a person’s private life.

With respect to the first prerequisite to coverage, the court noted that Travelers did not define the term “publication” in either the 2012 or 2013 policy, and therefore adopted the definition, “to place before the public (as through a mass medium)” as the plain and ordinary meaning of the term. The court reasoned that Portal’s alleged exposure of medical records to an online search of a patient’s name and a click on the first link to appear at least “potentially or arguably placed those records before the public”, constituting a “publication” for the purposes of the policy, regardless of whether such exposure was intentional or unintentional. Additionally, the court determined that actual third party access or viewing of the information was not a requisite component of a “publication”, and that the medical records were published as soon as the public was able to access them by searching online. Significantly, there was a “publication” of the information to anyone with internet access under the claims alleged even if no one but the patient actually viewed her medical records as a result of their online exposure.

With respect to the second prerequisite to coverage, the court adopted a similarly broad interpretation of “disclosure” under the 2013 policy language, using the definition “[t]he act or process of making known something that was previously unknown; a revelation of facts” to determine that, even if no third party viewed the medical records, they had still been “disclosed” under the claims alleged because Portal engaged in the “process of making previously unknown records suddenly known to the public at large” when it posted them online with unrestricted access. With respect to its analysis of the 2012 policy language, the court used, “the quality or state of being obvious or exposed to the general view” as the definition of “publicity” to find that posting medical records online without restriction, thereby enabling anyone to access them, gave “unreasonable publicity” to patients’ private lives, irrespective of whether Portal made any efforts to draw attention to such medical records.

Especially of note in the court’s analysis of Travelers’ policy language is its suggestion that an insured’s creation of the opportunity for third party access to confidential information via an alleged online data breach is sufficient to trigger liability under the policy. In assessing the import of this case, it should be noted that the duty to defend is generally broader than the duty to indemnify. Specifically, the court’s holding is that the grounds for liability alleged in the class-action complaint were “potentially or arguably covered by the policy”, therefore triggering Travelers’ duty to defend under Virginia law. However, the broad interpretation that the court afforded to Travelers’ policy language is a significant indication of potential liability to indemnify claims of this nature. Insurers may wish to use the interpretation of the policy language that the court provided in this case as guidance in drafting CGL policy language moving forward to avoid any ambiguities that may be interpreted to provide unintended coverage in this context.