Insurer Owes Duty to Defend Data Breach Lawsuit Under Traditional Policy
On April 11, 2016, the United States Court of Appeals for the Fourth Circuit affirmed a decision by the United States District Court for the Eastern District of Virginia that an insurer owed a duty to defend an underlying class action lawsuit arising out of a data breach under traditional policies providing coverage for “personal and advertising injury.” See Travelers Indemn. Co. of Am. v. Portal Healthcare Solutions, LLC, --- F3d ---, no. 14-1944 (4th Cir. April 11, 2016).
The insured, Portal Healthcare Solutions, specialized in safekeeping medical records for hospitals, clinics, and other medical providers. On April 18, 2013, Portal was sued in a class action lawsuit in New York State Court by a group of plaintiffs alleging that Portal failed to safeguard confidential medical records of patients at Glen Falls Hospital, posted those records on the internet, and caused the records (over 2,300 of them) to be publically accessible on the internet. Glen Falls Hospital had contracted with Portal for the electronic storage and maintenance of the records, and a third-party hosted the records on an electronic server. Two of the plaintiffs/patients allegedly discovered their medical records online when conducting a “Google” search of their respective names.
Travelers Indemnity Company of America (“Travelers”) issued to Portal two consecutive policies effective from January 31, 2012 to January 31, 2013, and from January 31, 2013 to January 31, 2014. The 2012 policy contained a Wed Xtend Liability Endorsement containing an insuring agreement stating that Travelers agreed to “pay those sums that the insured becomes legally obligated to pay as damages because of ‘personal injury,’ ‘advertising injury’ or ‘website injury’ to which this insurance applies.” The policy defined “advertising injury” and “personal injury” to include “oral, written or electronic publication of material that slanders or libels a person…” and “oral, written or electronic publication of material that appropriates a person’s likeness, unreasonably places a person in a false light or gives unreasonable publicity to a person’s private life.” “Website injury” means “injury, other than ‘personal injury’ or ‘advertising injury” arising out of “oral, written or electronic publication of material that slanders or libels a person…” or “oral, written or electronic publication of material that appropriates a person’s likeness, unreasonably places a person in a false light or gives unreasonable publicity to a person’s private life,” among other enumerated offenses. The amended insuring agreement and definitions in the 2013 policy are similar to those in the 2012 policy.
Travelers agreed to defend Portal against the class action claims under a reservation of rights, and filed a declaratory judgment lawsuit, seeking a declaration that it owed no duty to defend or to indemnify Portal against the data breach claims. The parties filed cross-motions for summary judgment. The court denied Travelers’ and granted Portal’s, finding the insured’s alleged conduct placed highly-sensitive personal information before the public, and thus, fell within the policies’ coverage for “publication” giving unreasonable publicity to a person’s private life, and triggered Travelers’ duty to defend.
Travelers argued that Portal’s conduct did not effect a publication because no third-party was alleged to have viewed the information (the two records allegedly seen online were viewed by the patients owning the records). The district court rejected this argument, noting that the plain meaning of publication does not hinge on third-party access, and instead occurs when the information is placed before the public, whether actually read or not. Travelers also argued, unsuccessfully, that Portal could not have published the information because the crux of its entire business was to keep the records private. The district court reasoned that the issue does not involve whether Portal intended to expose the records, since “publication” does not depend on the would-be-publisher’s intent. A panel of the Fourth Circuit Court of Appeals adopted the reasoning of the district court, commending the lower court’s “sound legal analysis.”
This decision examining whether a data breach fulfills the publication requirement of Coverage B under a traditional policy comes approximately a year after a New York state court examined a similar issue involving a Sony PlayStation breach. See Zurich Am. Ins. Co. v. Sony Corp. of Am., NY Supreme Ct., NY Cty., No. 651982-2011. In that lawsuit, the court granted the insurer’s motion for summary judgment, reasoning that third-party hackers had published the sensitive information, and not the insured, and therefore, potential coverage under Coverage B – Personal and Advertising Injury was not triggered. Sony appealed the judgment and the matter settled on appeal after oral argument.
The Fourth Circuit’s decision in Portal Healthcare, therefore, is significant because it highlights the potential for coverage, at least in the context of a duty to defend, with respect to a data breach claim under Coverage B to a traditional general liability policy. Where insureds are increasingly having both traditional policies and “cyber insurance” policies in place, this decision raises the possibility of multiple insurers owing a defense or potential coverage for a data breach claim.