Here’s an interesting development in two areas close to my professional heart: technology and insurance coverage. It’s been said with some frequency in recent years that traditional CGL policies do not cover losses arising from data breaches. Last week, however, the United States Court of Appeals for the Fourth Circuit affirmed a district court’s finding that a CGL policy might cover a data breach and that the insurer therefore had a duty to defend.
In Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC, patients whose private medical records were exposed online filed a class action in New York. The patients alleged that Google searches of their names revealed their private medical records from when they were patients at a New York hospital, and that Portal was partially to blame. (The records were apparently the first links listed by Google, further proving the axiom that if it’s not on the first page of Google, it doesn’t exist.) Portal was covered by two consecutive Travelers CGL policies, and after Portal demanded coverage, Travelers filed a declaratory judgment action in the Eastern District of Virginia, seeking a finding that its 2012 and 2013 CGL policies did not cover the alleged injuries.
Specifically, Portal alleged that the personal and advertising injury clauses in Coverage B applied to the alleged data breach. The two policies had slightly different language. In the earlier policy, Travelers was obligated to pay if Portal became legally liable for damages resulting from an advertising or website injury that arose from the “oral, written, or electronic publication of material that…gives unreasonable publicity to a person’s private life.” The later policy changed this slight to over electronic publication that “discloses information about a person’s private life.”
Travelers argued the patient’s claims were not covered because there was no “publication” because the records were not released intentionally and were not viewed by third parties. The district court, however, held that coverage applied because putting private medical records online was a “publication” that gave “unreasonable publicity to” or “disclosed information about” a person’s private life–even though unintentional and not viewed by third parties. Specifically:
Publication occurs when information is “placed before the public,” not when a member of the public reads the information placed before it…By Travelers’ logic, a book that is bound and placed on the shelves of Barnes & Noble is not “published” until a customer takes the book off the shelf and reads it.
Hence, Travelers had a duty to defend.
The Fourth Circuit wholeheartedly agreed with the District Court, stating:
[W]e commend the district court for its sound legal analysis…[T]he class-action complaint “at least potentially or arguably” alleges a “publication” of private medical information by Portal that constitutes conduct covered under the Policies…Such conduct, if proven, would have given “unreasonable publicity to, and disclose[d] information about, patients’ private lives,” because any member of the public with an internet connection could have viewed the plaintiffs’ private medical records during the time the records were available online.
Fortunately, Portal is an unpublished, per curiam decision, which means it has no precendential value. Moreover, on a factual level, Portal should also be limited in impact because of the specific language in the policies in issue, language that many insurers have subseqently changed in their more recent CGL policies–proving, once again, that policy language is always what matters.
There are going to be many more twists and turns in the data breach coverage area before the dust finally settles, so stay tuned.