Fourth Circuit Confirms that Data Breach Claims are Covered Under Traditional CGL Policies

Policyholders may still enforce an insurer’s duty to defend under a Commercial General Liability (“CGL”) policy for claims arising out of a data security breach, according to a recent Fourth Circuit decision. While the decision was issued in an unpublished opinion (a mere 18 days after oral argument), the decision represents a significant victory for policyholders seeking insurance coverage for claims arising out of data breaches resulting in the disclosure of personal information.

Portal Healthcare Solutions LLC (“Portal”) was sued in a purported class action filed in New York state court, alleging that it had failed to safeguard the confidential medical records of patients at a hospital facility, posted those records on the internet, and caused those records to become publicly accessible. The data breach was discovered when a “Google” search for certain patient names returned at the first link the patient medical records being maintained by Portal. The alleged disclosure occurred over an extended period, and therefore Portal sought coverage under two separate CGL policies issued by Travelers, which provided coverage for “personal injury” arising out of the electronic publication of certain materials. The “personal injury” coverage of the applicable policies required both (1) an electronic “publication” of material and (2) that the publication gave “unreasonable publicity” to, or “disclosed” information about, a person’s private life. Travelers denied coverage and commenced a declaratory judgment action claiming that the class action failed to allege a covered publication by Portal.

The parties filed cross motions for summary judgment on whether Travelers had an initial duty to defend Portal in the class action. The district court (in a published opinion in 2014), initially enforced Travelers’ duty to defend in the class action, finding that “the medical records were published the moment they became accessible to the public via an online search,” and therefore were available “to anyone with a computer and internet access.” The district court also concluded that “the public availability of a patient’s confidential medical records gave ‘unreasonable publicity’ to that patient’s private life, and ‘disclose[d]’ information about that patient’s private life.”

In affirming the district court’s ruling enforcing a duty to defend under the applicable policies, the Fourth Circuit “commend[ed] the District Court for its sound legal analysis,” and noted it was “content to affirm the judgment on the reasoning of the district court.” The Court also noted that if the insurer did not intend to provide a particular type of coverage (as it had argued), it must “use language clear enough to avoid ambiguity.”

The Fourth Circuit’s decision is certainly a significant win for policyholders seeking coverage under a CGL policy for claims arising out of a data breach, representing the most recent decision and the highest court to consider the issue. However, the effect of the decision may be short-lived. Specifically, the policies issued to Portal were on forms that predate introduction of policy endorsements that exclude all coverage for “personal injury” alleged to be “arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including … financial information, credit card information, health information or any other type of non-public information.” The forms containing this exclusion were introduced in May 2014, and have been (or may be) included upon renewal of CGL policies. However, the exclusions have not been universally adopted by all insurers, and have not been added to all CGL policies. Moreover, these exclusions have not been tested or interpreted in any reported decision to date. That stated, it is clear insurers are directly resisting and eroding coverage under traditional policies – including specifically CGL policies – and policyholders should be ever-vigilant so that new exclusions or conditions that restrict or delete previously available coverage are identified and addressed as part of the renewal negotiations. In addition, policyholders may consider the viability of “cyber policies” as an integral part of their risk management strategy.

The Fourth Court’s decision serves as confirmation that policyholders should review all available insurance policies in the event of a data breach giving rise to third party claims. While the availability of coverage is dependent upon the specific terms and conditions of each policy, careful review and analysis of all potentially applicable coverage – including CGL policies – can provide substantial benefits in the event of a loss or third party claim arising out of any data breach.