April 15, 2016
Insurance Law Alert
Author(s): Kurt M. Mullen
In an unpublished decision, the United States Court of Appeals for the Fourth Circuit in Travelers Indemnity Co. of America v. Portal Healthcare Solutions, LLC, 2016 U.S. App. LEXIS 6554, 2016 WL 1399517 (4th Cir., April 11, 2016) affirmed a district court’s ruling that an insurer has a duty under Virginia law to defend an insured against a putative data breach class action. The district court’s ruling is noteworthy because it involved coverage for a data breach claim under a CGL policy.
The policyholder in Portal specialized in the electronic safekeeping of medical records for hospitals, clinics and other providers. In April 2013, a putative class-action suit was filed against the policyholder in New York state court alleging that it failed to safeguard patient medical records, resulting in the records being posted on the internet. Two patients discovered their own records when they conducted a “Google” search of their names. The class-action suit alleged that these records were accessible, viewable, copyable, printable and downloadable from the internet by unauthorized persons—though there was no allegation that any third person actually had done so.
The insurer defended the policyholder against the putative class action under a reservation of rights and brought a separate coverage action against the policyholder in the Eastern District of Virginia. In the coverage action, the insurer sought a declaration that it had no duty to defend the policyholder under either of the two general liability policies the insurer had issued. The district court rejected the insurer’s argument and entered summary judgment in the policyholder’s favor.
In reaching its conclusion, the district court limited itself solely to the allegations in the class action complaint and the terms and conditions of the insurance policies in accordance with Virginia’s so-called “Eight Corners’ Rule.” The district court rejected the insurer’s argument that the alleged data breach was not a “personal injury” under Coverage B of the policies because the breach did not result in a “publication” of electronic material (because the breach was unintentional and because no third party was alleged to have downloaded the records). Rather, the district court reasoned that the class action complaint’s allegations fell within the common dictionary definition of “publication.” The district court also rejected the insurer’s reliance on three cases from other jurisdictions that had determined that there was no coverage under general liability policies for data breaches. Among those cases was Recall Total Info. Mgmt. Inc. v. Federal Ins. Co., 83 A.3d 665 (Conn. App. Ct. 2013), aff’d, 115 A.3d 458 (Conn. 2015), in which the Connecticut Appellate Court determined that there was no “personal injury” for claims arising out of missing computer tapes that had fallen out of the back of a van because there was no allegation that the information had been published.
The district court in Portal also concluded that the posting of this information online also gave “unreasonable publicity” and “disclose[d]” information about the patients’ private lives, regardless of whether the records actually were downloaded by a third person.
The Fourth Circuit “commend[ed] the district court for its sound legal analysis,” similarly limiting itself to the class action complaint and the applicable insurance policies. The Fourth Circuit determined that the district court appropriately concluded that the disclosure of patient information on the internet was a “publication,” thereby coming within the policies’ coverage for purposes of the duty to defend. However, the Fourth Circuit did not address whether the insurer had a duty to indemnify the policyholder. Moreover, the Fourth Circuit’s opinion also did not address the arguments that this type of risk would be more appropriately covered by cyber liability insurance, which is rapidly growing in the market.
While the Portal decision represents a successful effort by a policyholder to obtain coverage under a CGL policy for a data breach class action, its impact may be limited. The policies before the court in Portal included endorsements that replaced the Personal and Advertising Injury Liability coverage part (Coverage B) in the standard CGL policy form with Personal Injury, Advertising Injury and Web Site Injury Liability coverage. More recent versions of the standard ISO CGL coverage form have added exclusions to Coverage B for “personal and advertising injury” arising out of alleged violations of the Telephone Consumer Protection Act (TCPA) and the CAN-SPAM Act of 2003, including any related amendments or regulations. (The most recent version of the standard form also excludes personal and advertising injury coverage for alleged violations of the Fair Credit Report Act (FCRA) and the Fair and Accurate Credit Transactions Act (FACTA).) ISO also has created an endorsement for CGL coverage aimed at excluding coverage for data breaches altogether. In addition, the issue before the court in Portal involved the duty to defend, which is interpreted more broadly than the duty to indemnify.
Given these limitations, as well as decisions in other jurisdictions that have concluded that data breach actions are not covered under standard CGL policies, it seems unlikely that the Fourth Circuit’s affirmance of the district court in Portal will have a significant impact on the continued development of the cyber liability insurance market. One can expect, however, that policyholders will continue to argue that there may be coverage for data breaches under CGL policies.
The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.