Fourth Circuit Finds CGL Insurer Has Duty to Defend Cyber Claim
In Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, L.L.C., 2016 U.S. App. Lexis 6554, decided on April 11, 2016, the United States Court of Appeals for the Fourth Circuit found that a commercial general liability insurer has the duty to defend its insured against a cybersecurity claim.
The Underlying Suit
On April 18, 2013, a class of plaintiffs sued Portal Healthcare Solutions, LLC. Portal specializes in the maintenance and safekeeping of medical records. Plaintiffs were patients of Glens Falls Hospital, which had contracted with Portal for the electronic storage and maintenance of its patients' private records. The plaintiffs alleged that, from November 2, 2012 to March 14, 2013, Portal placed their medical records on a server that permitted access to any internet user without any security restrictions. Any internet user could locate a plaintiff's record with a simple Google search of the plaintiff's name, and then access the record by clicking on the search result. The plaintiffs' class asserted counts of negligence, gross negligence, breach of warranties and breach of contract, and sought injunctive relief.
The Declaratory Judgment Action
At the time Portal allegedly published these records, Travelers insured it under 2012 CGL policy and a 2013 CGL policy. The 2012 policy included coverage for the "electronic publication of material that…gives unreasonable publicity to a person's private life." The 2013 policy included coverage for publication that "[d]iscloses information about a person's private life." Travelers sought a declaration from the Eastern District of Virginia that it had no duty to defend Portal, because Portal's actions did not amount to a covered publication.
The Eastern District determined that Travelers did have a duty to defend Portal, because Portal's conduct constituted "publication giving unreasonable publicity to, or disclosing information about, a person's private life, triggering Travelers's duty to defend." On appeal, the Fourth Circuit agreed. To resolve the case, the Fourth Circuit turned to the "Eight Corners" rule, which directs the court to resolve the matter with reference to the four corners of the underlying class action complaint and the four corners of Travelers' insurance policies. The Fourth Circuit also noted two mainstays of policy interpretation: that an insurer's duty to defend is broader than its obligation to pay; and that when there is doubt as to the meaning of a policy, the courts shall favor interpretations which grant coverage. Under this analysis, the Fourth Circuit agreed with the Eastern District that "the class action complaint at least potentially or arguably alleges a publication of private medical information by Portal" that is covered by Travelers policies.
Takeaway
There are three main lessons that arise from this decision:
1. CGL exposure may be greater than you think. There is a relatively new and growing focus on cyberinsurance policies. This may lead some to believe that the negligent online dissemination of personal healthcare information or personally identifiable information is not in the ambit of GCL policies. This case disposes of that belief, and insurers should price their policies accordingly.
2. Define key terms. This case emphasizes why, when drafting contracts, it is important to define key terms. The term "publication" was not defined in either Travelers policy. Travelers' argument that Portal's actions did not constitute a publication was therefore subject to the "plain and ordinary meaning" of the term. Turning to the dictionary, the Eastern District found that Portal has placed the plaintiffs' records "before the public (as through a mass medium," and thereby published them.
3. Vet your vendors. Portal may be covered for its defense of this case, but Glens Falls Hospital undoubtedly has a number of unhappy patients on its hands. When selecting vendors, especially those who will be handling sensitive data, it is vital to research their background and reputation. Even if it does not result in a lawsuit, the dissemination of private information can result in regulatory action, and will almost certainly lead to reputational damage.