UPDATED – Fourth Circuit Rules CGL Policy Covers Data Breach
Information accessible on the internet is “Published” even if no one reads it
Updated: Please see below for a letter from a reader suggesting this case would have gone differently under New York law, and Tamara’s response.
This week, the Fourth Circuit held that a complaint does not have to allege that anyone actually viewed private information that the insured made publicly available online to successfully allege “publication” of confidential information. An allegation that the information was online is sufficient to trigger the duty to defend under traditional commercial general liability policies.
The case demonstrates that, with the right set of facts and the right policy language, insureds can still look to traditional GL coverage for cyber liability claims.
It also underscores the importance for general liability insurers that wish to avoid coverage for data breaches of using express data breach exclusions, such as ISO’s optional endorsements that my colleague Harvey Nosowitz discussed here.
However, even those insureds whose GL policies do not include data breach exclusions would still be wise to consider purchasing cyber liability coverage, given the wide range of circumstances that can give rise to a data breach claim — not all of which will meet the “publication” requirement.
The Facts: Medical Records End up on the Internet
The defendant in the underlying case, Portal Healthcare Solutions, specialized in hosting and safekeeping electronic medical records for health care providers, including Glen Falls Hospital. When some of the hospital’s patients Googled their own names, they discovered links that led directly to their medical records. A class action suit followed alleging that Portal had posted their records online.
Portal’s insurer was Travelers, which had issued two “substantially identical” general liability policies in 2012 and 2013. (The records were online for four months spanning 2012 to 2013.) The policies covered damages for (1) the “electronic publication of material that … gives unreasonable publicity to a person’s private life” (the language in the 2012 Policy) or (2) the “electronic publication of material that … discloses information about a person’s private life” (the language in the 2013 Policy).
Discussion: Can Records be “Published” if Nobody Sees Them?
In the coverage suit, Travelers argued it had no duty to defend Portal in the class action because the plaintiffs did not allege that anyone but themselves had actually viewed the medical records that Portal had put online. Therefore, Travelers asserted, there was no “publication.”
A federal district court in Virginia disagreed, holding that Travelers had a duty to defend, because “exposing confidential medical records to online searching” does indeed constitute “publication” that both gives rise to “unreasonable publicity” (under the 2012 policy) and “discloses information about” a person’s private life (under the 2013 policy).
The Fourth Circuit affirmed in an unpublished opinion.
Noting that the policies did not define “publication,” the trial court turned to a dictionary. Websters defines it as “to place before the public.”
Dismissing Travelers’ argument that because the plaintiffs did not allege that a third party had viewed their records there was no claim for “publication,” the court held, that “the definition of ‘publication’ does not hinge on third-party access.” It is the “placing” of information that matters, not anyone’s later reading – or not reading – the material that was placed in the public domain.
Similarly, the court looked up “publicity” (used in the 2012 policy) and “disclosure” (used in the 2013 policy) in Websters, and found that posting medical records online met those definitions even if nobody subsequently viewed them.
Contrary Cases – Ease of Access and Insured’s Conduct
The Portal decision distinguished a 2014 Connecticut case, Recall Total Info. Mgmt, Inc. v. Fed. Ins. Co., which I discussed here. The case addressed coverage for claims arising from the loss of computer tapes containing private information for 500,000 individuals. The tapes fell out of the back of a van, were taken by an unknown person, and never recovered. There was no evidence that anyone actually accessed the information in the tapes, which required specialized equipment to read.
Therefore, the court concluded, there was no publication of the information. By contrast, the Portal court reasoned, the patients’ information was available “not just to a single thief but to anyone with a computer and internet access.”
A New York trial court also ruled in Zurich American Insurance Co. v. Sony Corp. of America (scroll to pg. 16 for relevant part) that an insurer had no duty to defend Sony after its PlayStation online services were hacked. Acts by third-party hackers do not constitute “publication in any manner,” said New York’s Supreme Court.
In contrast, Portal (rather than a third-party hacker) allegedly posted the patient’s records online, even if inadvertently. That alone, according to the Fourth Circuit, is a sufficient allegation of publication to trigger the duty to defend.
Taken together, the three cases indicate that accessibility to the information, as well as the insured’s alleged role in making the information accessible are key factors in the “publication” determination. In the “no-publication” cases, a thief (truck case) and hackers (Sony case) did the actual alleged publication; whereas in Portal, it was the insured itself (Portal) who allegedly made the information available.
Update 4.20.16 – How New York Would Have Handled Case
In response to this post, a reader commented:
Thanks for the illuminating e-mail article!
Although it is beyond cavil that a “publication” has occurred, I would merely like to add that had the instant matter been governed by New York law, there is some doubt whether the allegedly “wrongful” — albeit likely accidental — four-month publication of the subject medical records would have even qualified as “personal injury” as defined under Travelers‘ CGL policies.
Under New York law “personal injury” coverage is intended to reach only purposeful acts undertaken by the insured or its agents — and does not include the seemingly inadvertent, albeit reckless, type of publication at issue here. In this regard, the “violation of privacy” envisioned by such “personal injury” coverage would appear confined to a violation such as of New York‘s Civil Rights law which bars the publication of a person‘s likeness for economic gain without their consent, or some other intentional or quasi-intentional tort committed by the insured or its agents — something not at issue in the “Portal” matter!
Matthew Siegel, President
Telesis Liability Insurance Coverage Software
Thank you for your insights on New York law. Your comment highlights the importance of which state’s law will govern. The New York Trial Court in the Sony Play Station coverage case agreed that, as you note, the “publication” must be by the insured, rather than a third party, for coverage to apply. Unfortunately (at least for some) the case settled while the appeal was pending so we do not have the benefit of the Appellate Division’s further guidance on coverage in the face of a hacking situation.
Image credit: Sean MacEntee
Posted In: Cyber Liability