A federal appeals court in Virginia has upheld a lower federal court in ruling that a commercial general liability policy (CGL) may cover a data breach. In a case involving the publication of private medical records on the Internet, the courts found that coverage included in a CGL for personal and advertising injury applied.
Monday’s ruling by the U.S. Court of Appeals for the 4th Circuit is a defeat for Travelers Insurance which had argued that its 2012 and 2013 CGL policies did not require it to defend its insured, Portal Healthcare Solutions, which was being sued over a data breach.
(See also, related article, Fallout from the Travelers CGL Cyber Ruling: Insurance Buyers and Sellers Beware.”)
The U.S. court ruling is at odds with at least two state court rulings, one in Connecticut in 2015 and the other in New York in 2014, that found no coverage for cyber claims in traditional commercial insurance policies.
Cyber insurance expert Stephanie Snyder, senior vice president for Aon Risk Solutions, says the ruling was more about “publication” than cyber and it only addressed defense costs, not breach notification costs, credit monitoring or computer forensics expenses, in this update from the RIMS conference in San Diego.
The action was brought against Portal, a medical records safekeeping firm with its principal office in Virginia that was hired by Glens Falls Hospital in New York and was insured by Travelers Indemnity.
In 2013, Travelers sought a declaration that it was not obligated to defend Portal in the civil suit because the breach was not covered under its policies. However, on August 7, 2014, the District Court for the Eastern District of Virginia in Alexandria ruled that Travelers was obligated to defend Portal under its Coverage Part B Personal and Advertising Injury.
In its unpublished per curiam opinion issued Monday, the circuit court of appeals upheld the judgment and the reasoning of the district court. The higher court praised the district court for its “sound legal analysis” and accused Travelers of trying to “parse alternative dictionary definitions” to escape its duty to defend Portal.
Travelers issued Portal two substantially identical insurance policies. The first was effective from January 31, 2012 to January 31, 2013, and the second from January 31, 2013 to January 31, 2014.
The 2012 and 2013 policies—under Coverage Part B Personal and Advertising Injury—obligated Travelers to pay if Portal became legally obligated to pay damages because of an advertising or website injury arising from the “electronic publication of material that… gives unreasonable publicity to a person’s private life” (the language found in the 2012 policy) or (2) the “electronic publication of material that… discloses information about a person’s private life.”
The district court held, and the circuit court agreed, that the insurance coverage applied to the conduct alleged by the plaintiffs because exposing confidential medical records to online searching is “publication” giving “unreasonable publicity” to, or “disclosing” information about, a person’s private life. Thus, Travelers had a duty to defend Portal against the underlying class action, the court said.
Travelers had argued that there was no “personal injury” or “publication” as defined by the policies because release of the records was not intentional and they were not viewed by a third party. But the court said an unintentional publication is still publication. The court also said the definition of publication does not hinge on third party access.
“Publication occurs when information is ‘placed before the public,’ not when a member of the public reads the information placed before it,” the court said. “By Travelers’ logic, a book that is bound and placed on the shelves of Barnes & Noble is not ‘published’ until a customer takes the book off the shelf and reads it.”
The lower court said Travelers’ understanding of the term publication “does not comport with the term’s plain meaning, and the medical records were published the moment they became accessible to the public via an online search.”
Next, the court found that the public availability of a patient’s confidential medical records gave “unreasonable publicity” to that patient’s private life and “disclose[d]” information about that patient’s private life, satisfying the policies’ second prerequisite to coverage.
Travelers had argued that no “publicity” occurred because Portal did not take steps designed to attract public interest or gain public attention or support.” But the court said Portal’s conduct fell within a broader and primary definition of “publicity” and suffices to establish that Portal gave unreasonable publicity to patients’ private lives when it posted their medical records online without security restriction.
Travelers cited a 2015 case in which the Connecticut Supreme Court ruled there was no coverage under CGL and umbrella policies issued by Federal Insurance Co. and Scottsdale Insurance Co. for the loss of computer tapes that exposed personal information of IBM employees. In that case, 130 tapes fell out of the back of a van and were retrieved by an unknown person and were never recovered.
But the U.S. appeals court said that precedent did not apply because in the Portal case the information was posted on the internet and not just to a single thief but to anyone with a computer and internet access.
In 2014, a New York court ruled in a CGL policy coverage case that Zurich American Insurance Co. had no duty to defend Sony Corp. of America and Sony Computer Entertainment America in litigation stemming from the April 2011 hacking of Sony Corp.’s PlayStation online services. The Supreme Court of the State of New York granted summary judgment, ruling that acts by third-party hackers do not constitute “oral or written publication in any manner of the material that violates a person’s right of privacy” in the personal and advertising injury coverage under the CGL policy issued by Zurich.
As cyber risk has been evolving, the insurance industry has been trying to clarify that CGL policies exclude coverage for data breaches. The industry’s policy form organization ISO issued optional endorsements in 2013 and 2014 deleting invasion of privacy-related offenses from the definition of personal and advertising injury applicable to Coverage B and addressing access or disclosure of confidential or personal information.
Meanwhile, insurers have been offering standalone cyber policies and endorsements to businesses of all sizes in need of cyber coverage. However, because cyber risk is difficult to model and price, insurers are also being cautious in how much cyber insurance they are writing.
The court opinions are embedded below.