Fourth Circuit: Insurer Has a Duty to Defend Because CGL Policies Might Cover Data Breach

Here’s an interesting development in two areas close to my professional heart: technology and insurance coverage. It’s been said with some frequency in recent years that traditional CGL policies do not cover losses arising from data breaches. Last week, however, the United States Court of Appeals for the Fourth Circuit affirmed a district court’s finding that a CGL policy might cover a data breach and that the insurer therefore had a duty to defend.

In Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC, patients whose private medical records were exposed online filed a class action in New York. The patients alleged that Google searches of their names revealed their private medical records from when they were patients at a New York hospital, and that Portal was partially to blame. (The records were apparently the first links listed by Google, further proving the axiom that if it’s not on the first page of Google, it doesn’t exist.) Portal was covered by two consecutive Travelers CGL policies, and after Portal demanded coverage, Travelers filed a declaratory judgment action in the Eastern District of Virginia, seeking a finding that its 2012 and 2013 CGL policies did not cover the alleged injuries.

Specifically, Portal alleged that the personal and advertising injury clauses in Coverage B applied to the alleged data breach. The two policies had slightly different language. In the earlier policy, Travelers was obligated to pay if Portal became legally liable for damages resulting from an advertising or website injury that arose from the “oral, written, or electronic publication of material that…gives unreasonable publicity to a person’s private life.” The later policy changed this slight to over electronic publication that “discloses information about a person’s private life.”

Travelers argued the patient’s claims were not covered because there was no “publication” because the records were not released intentionally and were not viewed by third parties. The district court, however, held that coverage applied because putting private medical records online was a “publication” that gave “unreasonable publicity to” or “disclosed information about” a person’s private life–even though unintentional and not viewed by third parties. Specifically:

Publication occurs when information is “placed before the public,” not when a member of the public reads the information placed before it…By Travelers’ logic, a book that is bound and placed on the shelves of Barnes & Noble is not “published” until a customer takes the book off the shelf and reads it.

Hence, Travelers had a duty to defend.

The Fourth Circuit wholeheartedly agreed with the District Court, stating:

[W]e commend the district court for its sound legal analysis…[T]he class-action complaint “at least potentially or arguably” alleges a “publication” of private medical information by Portal that constitutes conduct covered under the Policies…Such conduct, if proven, would have given “unreasonable publicity to, and disclose[d] information about, patients’ private lives,” because any member of the public with an internet connection could have viewed the plaintiffs’ private medical records during the time the records were available online.

Fortunately, Portal is an unpublished, per curiam decision, which means it has no precendential value. Moreover, on a factual level, Portal should also be limited in impact because of the specific language in the policies in issue, language that many insurers have subseqently changed in their more recent CGL policies–proving, once again, that policy language is always what matters.

There are going to be many more twists and turns in the data breach coverage area before the dust finally settles, so stay tuned.


Admit it, you Googled yourself after reading this…

About Brian Jones

I represent clients in all aspects of business litigation, but focus my practice on complex litigation and arbitration matters concerning insurance and reinsurance, antitrust, class actions, securities, real estate disputes, and contract matters. I am the co-chair of the Bose McKinney & Evans Insurance Group. I was listed in the 2017 and 2016 "Best Lawyers in America" for Insurance Coverage and named a "Rising Star" in Insurance Coverage by Super Lawyers in Indiana in 2014. I was also named a "Rising Star" in Business Litigation by Super Lawyers in Indiana in 2013 and 2012, and a 2010 “Rising Star” in Business Litigation in Texas. I am a member of the State Bars of Indiana and Texas, the Defense Research Institute, a former member of the Pro Bono College of the State Bar of Texas, and I am licensed to practice before all state courts in Indiana and Texas, as well as all federal courts in Indiana, the Northern, Western, and Southern Districts of Texas, the Northern District of Illinois, and the United States Courts of Appeals for the Fifth, Seventh, and Eleventh Circuits. I received my bachelor’s degree, cum laude, in political science and my master’s degree in teaching from Trinity University, where I was elected to Phi Beta Kappa. I received my doctor of jurisprudence degree from the University of Texas School of Law, where I was the Director of Communications for the Legal Research Board and a member of the Phi Delta Phi Honor Society. Before attending law school, I taught high school geography, government and economics in San Antonio, Texas.
This entry was posted in Advertising injury, CGL, Commercial Lines, Litigation and tagged , , , , , . Bookmark the permalink.

Share your thoughts

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s