The Fourth Circuit Court of Appeals has affirmed a lower court ruling finding that the placement of confidential patient medical records on the Internet qualifies as “publication” for purposes of an insurer’s duty to defend under a commercial general liability policy.1
According to an underlying class action complaint, Portal Healthcare Solutions (“Portal”) allowed private medical records to remain on an unsecured server and exposed to anyone with an Internet connection for more than four months. At issue in coverage litigation between Portal and its general liability insurer, Travelers, was policy language requiring Travelers to pay sums Portal became legally obligated to pay as damages because of injury arising from the “electronic publication of material that … gives unreasonable publicity to a person’s private life” or “discloses information about a person’s private life.” Rejecting attempts by Travelers to require evidence that the policyholder intended to communicate information to third parties before a “publication” would be found, District Court Judge Gerald Bruce Lee ruled that, if proven, plaintiffs’ allegations qualified as “publication,” which the dictionary defines broadly to include “plac[ing] before the public (as through a mass medium).”
Fourth Circuit Judges King, Diaz and Harris agreed. The panel cited authority noting that courts “have been consistent in construing the language of [insurance] policies, where there is doubt as to their meaning, in favor of that interpretation which grants coverage, rather than that which withholds it.” At least for purposes of Portal’s claim for a defense against the underlying class action complaint, plaintiffs’ allegations “potentially” allege “publication” under Travelers’ policies: “Given the eight corners of the pertinent documents, Travelers’s efforts to parse alternative dictionary definitions do not absolve it of the duty to defend Portal.”
Within the past several years, other courts have had occasion to consider what “publication” means and requires in the context of a data breach. Most notably, in a suit by Sony Corporation’s general liability carriers, Zurich America and Zurich Insurance Co., Ltd., New York Supreme Court Justice Jeffrey Oing issued a verbal ruling in 2014, finding that Zurich had no duty to defend Sony in connection with underlying class action lawsuits, miscellaneous claims and regulatory actions because “coverage for oral or written publication of materials that violate a person’s right to privacy only applies to material published by Sony as the policyholder, not to the hackers who stole users’ confidential information.”2 While the court’s decision was on appeal, Sony and Zurich reached a settlement in 2015, which precluded further judicial resolution of the disputed meaning of “publication” in Sony’s policy.
In Recall Total Information Management, Inc. v. Federal Insurance Company, 115 A.3d 458 (Conn. 2015), the Supreme Court of Connecticut found that data logistics provider Recall Total was not entitled to coverage for $6 million in damages paid to IBM following the loss of 130 computer tapes containing personal information of more than 500,000 IBM current and former employees. The Court adopted the reasoning of the lower appellate court holding that the subject liability policy required “electronic, oral, written or other publication of material that . . . violates a person’s right of privacy,” and notwithstanding Recall’s assertion that “the mere loss of the tapes constitutes a publication,” “[t]here is nothing in the record suggesting that the information on the tapes was ever accessed by anyone.”
The Fourth Circuit’s ruling in Portal Healthcare Solutions is an important reminder to policyholders that, notwithstanding prior decisions in Sony and Recall Total Information Management and the emergence of an ever-growing market for dedicated privacy liability and network security policies, traditional liability insurance policies should not be overlooked. Even in the wake of a data breach, standard general liability policies and other forms of traditional insurance, including D&O, E&O, crime and fidelity coverage, may provide significant coverage for defense costs, settlements or judgments.
If you have any questions about insurance coverage for loss and liability arising out of a data breach or about liability insurance coverage in general, please contact one of the Haynes and Boone Insurance Recovery Practice Group partners listed below.
1 See Travelers Indem. Co. of Am. v. Portal Healthcare Sols., L.L.C., No. 14-1944 (4th Cir. Apr. 11, 2016).
2 Judy Greenwalt, Zurich owes no defense in Sony PlayStation hacking: Court, Businessinsurance.com (Feb. 25, 2014).