Following an April 11 ruling by the Fourth Circuit in Travelers Indemnity Company of America v. Portal Healthcare Solutions, LLC, Travelers must defend its policyholder, Portal Healthcare, in a class action lawsuit concerning a security breach.  For years, courts have wrestled with whether traditional commercial general liability (CGL) policies provide coverage in event of a data breach.  The results have been mixed.  This most recent decision highlights the uncertainty that remains over whether traditional insurance policies cover cyber liabilities and, if so, under what circumstances and to what extent.  This case appears to have been driven by specific policy language and the facts of the cyber incident, particularly the conduct of the policyholder, but highlights the increasing prevalence of cyber insurance issues.

Travelers had issued two CGL policies to Portal Healthcare, a medical records company.  In April 2013, a class action was filed in New York state court alleging that, as a result of Portal Healthcare’s failure to properly protect its server, confidential medical records for patients at a New York hospital were accessible on the Internet to unauthorized individuals.  The class action complaint  asserts counts for alleged negligence, breach of warranty, breach of contract, and also seeks injunctive relief against Portal Healthcare, the hospital, and others. 

In July 2013, Travelers filed the coverage action at issue here in the U.S. District Court for the Eastern District of Virginia.  Travelers sought a declaration that it was not obligated under its CGL policies to defend or indemnify Portal Healthcare against the underlying class action lawsuit.  Specifically, Travelers argued that it was entitled to declaratory judgment because the underlying class action does not allege “personal injury,” “publication of material,” “advertising injury” or “website injury,” as defined in the Travelers policies.

In April 2014, both parties sought summary judgment on the issue of Travelers’ alleged duty to defend Portal Healthcare in the underlying class action.  Travelers maintained that there was no “publication” because (1) Portal Healthcare’s conduct was unintentional, and (2) no third party was alleged to have viewed the information.  Travelers also argued the Portal Healthcare’s conduct did not “disclose” the patient’s private lives because the patients viewed only their own records.  

The district court rejected Travelers arguments.  As to the first argument, the district court explained that a “publication” does not depend on the “would-be publisher’s intent.  Rather it hinges on whether the information was placed before the public.  Because an unintentional publication is still a publication. . .”  As to the second argument, the district court reasoned that a “publication occurs when information is ‘placed before the public,’ not when a member of the public reads the information placed before it.”  As to the third argument, the district court noted that the word “disclosure” meant the “act or process of making known something that was previously unknown” and Portal Healthcare did just that: by posting the patient records it engaged in the process of making previously unknown information known to the public at large.  The district court was also unconvinced by the cases relied on by Travelers, which involved either (1) plaintiffs being handed paper receipts of their own personal credit card information or (2) the theft of computer tapes.  The district court stated that these cases were distinguishable because the instant case involved information that was published online and accessible to anyone with Internet access.   

In rejecting Travelers’ arguments, the district court denied Traveler’s motion and granted Portal Healthcare’s motion, and held that Travelers’ CGL policies at least potentially covered  the conduct alleged by the class action plaintiffs.  The district court concluded that making the records publicly available through an online search amounted to a “publication” under the policies that gave “unreasonable publicity” to and “disclosure” of information about the patients’ private lives. 

On appeal, the Fourth Circuit affirmed, agreeing with the district court that Travelers is obligated to defend Portal Healthcare against the underlying class action.  In an unpublished opinion, the Fourth Circuit reasoned that the conduct alleged in the class action complaint at least potentially  constitutes a “publication” of the patients private medical information.  Because the Fourth Circuit’s opinion did not contain much additional analysis, litigants are likely to look to the district court’s opinion in future disputes which will inevitably arise concerning alleged coverage for cyber incidents.