This article was first published by Advisen on May 2, 2016.
In a solid victory for policyholders, the Fourth Circuit upheld coverage last week for a potential data breach incident involving confidential medical records. The case is The Travelers Indemnity Co. of America v. Portal Healthcare Solutions, L.L.C.,[1] and involved coverage under two commercial general liability (CGL) insurance policies.
Significantly, and in contrast to the Recall Total case that was widely reported and debated last year,[2] the Fourth Circuit in Portal Healthcare confirmed that a covered “publication” of records can exist even if the records at issue are not actually accessed by any third party. Rather, the Fourth Circuit confirmed that “publication” is satisfied for purposes of CGL coverage if the records are merely accessible. Likewise, in contrast to the New York trial court’s decision in the Sony PlayStation data breach insurance coverage litigation,[3] the Fourth Circuit outright rejected the insurer’s argument that CGL coverage requires “intent” to publish the information, finding unintentional publication sufficient.
Portal Healthcare provides insureds another arrow in the coverage quiver, serving as an important reminder that actual and potential data breaches may be covered under CGL and other traditional policies.
Here we offer a brief summary of the Portal Healthcare facts and holding—and 5 key takeaways.
Portal Facts And Holding
The insured in Portal Healthcare, Portal Healthcare Solutions, L.L.C., specializes in the electronic safekeeping of medical records for hospitals, clinics, and other medical providers.[4] At issue in Portal Healthcare was whether Portal’s CGL insurer, Travelers, had a duty to defend Portal against class-action allegations that Portal failed to safeguard confidential medical records by posting those records on the internet and making them available to anyone who searched for a patient’s name and clicked on the first result.[5]
On cross motions for summary judgement in the insurance coverage litigation, the federal district court held that the posting of medical records was an electronic “publication,” and therefore covered under Portal’s CGL policies.[6] Significantly, the court rejected Travelers’ argument that there was no covered “publication” because no third party was alleged to have viewed the information.[7] Rather, applying established rules of insurance policy construction, the district court found that the undefined term “publication” required only that the records be “placed before the public”[8] and it therefore was not relevant whether or not the records were accessed by a third party. Drawing analogy to a book placed on a Barnes & Noble shelf, the court noted that Travelers’ argument was contrary to the plain meaning of “publication”:
By Travelers’ logic, a book that is bound and placed on the shelves of Barnes & Noble is not “published” until a customer takes the book off the shelf and reads it. Travelers’ understanding of the term “publication” does not comport with the term’s plain meaning, and the medical records were published the moment they became accessible to the public via an online search.[9]
In reaching its decision, the district court distinguished the authorities relied upon by Travelers, including Recall Total,[10] finding that Recall Total was inapposite because, in contrast to Recall Total, the information in Portal Healthcare “was posted on the internet and thus, was given not just to a single thief but to anyone with a computer and internet access.”[11]
In addition, and also significantly, the district court rejected Travelers’ proposition that “publication” requires an intent to publish by the insured, finding that “an unintentional publication is still a publication.”[12] The court further explained that “the issue cannot be whether [the insured] intentionally exposed the records to public viewing since the definition of ‘publication’ does not hinge on the would-be publisher’s intent. Rather, it hinges on whether the information was placed before the public.”[13]
The district court concluded that “the facts and circumstances alleged in the class-action complaint at least ‘potentially or arguably’ constitute a ‘publication’….”[14]
The Fourth Circuit affirmed, commending the district court’s “sound legal analysis” and confirming that “Travelers has a duty to defend Portal against the class-action complaint.”[15]
The Takeaways
Portal Healthcare offers five key takeaways:
-
Remember “traditional” policies. Portal Healthcare illustrates that there may be valuable data breach coverage under CGL and other traditional insurance policies—even in the absence of an actual breach of information.[16] This is important for organizations to remember because, while a growing number of organizations purchase specialty “cyber” and technology errors and omissions (E&O) policies, which are specifically designed to afford coverage for data breaches and other cybersecurity and data privacy-related risks, most organizations also have various forms of traditional insurance policies that may cover various types of cyber and privacy risks, including CGL, D&O, professional liability, property, and commercial crime policies, among others. In many circumstances there may be overlapping coverage under a number of the organization’s specialty and traditional insurance coverage.
-
Identify potential coverage—and potential coverage gaps—before a breach incident. Organizations are advised to carefully consider potential coverage across their entire insurance portfolio in advance of a potential breach event and undertake a “gap” analysis. While there may be valuable coverage under an organization’s CGL and other “traditional” insurance policies, insurers have made it abundantly clear that they do not want to cover “cyber” and various privacy-related exposures, including data breach, under traditional policies. For this reason, insureds should be aware that they may face costly insurance litigation to secure coverage—even where there is a good argument in favor of coverage. Likewise, in response to decisions upholding coverage for data breaches and other privacy-related exposures, the insurance industry has added various limitations and exclusions in recent years, which seek to cut off the “traditional” lines of coverage. Most recently, ISO filed a number of data breach exclusionary endorsements for use with its standard-form primary, excess and umbrella CGL policies. These became effective in May 2014.[17] Although the full reach of the new exclusions ultimately will be determined by judicial review, from an enterprise risk management perspective, the newer exclusions provide another reason for companies to carefully consider specialty “cyber” insurance products.[18]
-
Carefully Consider—and negotiate—appropriate specialized coverage. “Cyber” and technology E&O insurance coverage can be extremely valuable,[19] but choosing the right insurance product presents real and significant challenges. There is a diverse and growing array of cyber products in the marketplace, each with its own insurer-drafted terms and conditions that vary dramatically from insurer to insurer—and even between policies underwritten by the same insurer. In addition, the specific needs of different industry sectors, and different companies within those sectors, are far-reaching and diverse. Although placing coverage in this dynamic space presents challenges, it also presents substantial opportunities. “Cyber” and technology E&O insurance policies are negotiable, and the terms of the insurer’s off-the-shelf policy forms can often be significantly enhanced and customized to respond to the insured’s particular circumstances. Frequently, very significant enhancements can be achieved for no increase in premium. It is important to identify the right cyber insurance product and then negotiate the coverage terms so that they reflect the reality of risk and the organization’s potential particular risk profile and exposure.
-
Don’t take “no” for an answer. Unfortunately, even where there is a legitimate claim for coverage, an insurer may deny an insured’s claim. Indeed, insurers can be expected to argue, as Portal’s insurers argued, that data breaches are not covered under CGL insurance policies. In addition, disputes are now arising under newer specialty “cyber” and technology E&O policies.[20] Nevertheless, insureds that refuse to take “no” for an answer may be able to secure valuable coverage if they effectively pursue their claim.[21]
-
Maximize coverage across the entire insurance portfolio. Various types of insurance policies may be triggered by a data breach incident, and those various triggered policies may carry different insurance limits, deductibles, retentions, and other self-insurance features, together with various different and potentially conflicting provisions addressing, for example, other insurance, erosion of self-insurance, and stacking of limits. For this reason, in addition to considering the scope of substantive coverage under an organization’s various insurance policies, it is important for the organization to carefully consider the best strategy for pursing coverage in a manner that will most effectively and efficiently maximize the potentially available coverage across the insured’s entire insurance portfolio. By way of example, if there is potentially overlapping CGL and “cyber” insurance coverage, an organization should keep in mind considerations such as the fact that defense costs often do not erode CGL policy limits. Armed with the appropriate facts, the organization can structure the coverage strategy accordingly.
* * * * *
Portal Healthcare serves as an important reminder that, when facing a data breach event, and before an event occurs, organizations should carefully consider the insurance coverage that may be available to respond to a breach event and the most efficient ways to maximize coverage.
Notes:
[1] --- Fed.Appx. ----, 2016 WL 1399517 (4th Cir. Apr. 11, 2016).
[2] Recall Total Info. Mgmt., Inc. v. Federal Ins. Co., 115 A.3d 458 (Conn. 2015).
[3] The trial court in Zurich Am. Ins. Co. v. Sony Corp. of Am., et al., No 651982/2011 (Sup. Ct. N.Y. County) ruled from the bench without a written opinion. The Transcript is cited below at footnote 13.
[4] 35 F.Supp.3d 765, 767 (2014) (Virginia law).
[5] Id. at 768. Two patients in Portal Healthcare discovered that when they conducted a “Google” search of their respective names, the first link that appeared was a direct link to their respective medical records. See id.
[6] Id. at 771. The two policies at issue in Portal Healthcare covered, respectively, (1) the “electronic publication of material that ... gives unreasonable publicity to a person’s private life”; and (2) the “electronic publication of material that ... discloses information about a person’s private life”. Id. at767.
[7] The patients accessed their own records and only alleged that the information was available for view by a third party. See id. at 770-71.
[9] Id. at 771.
[10] Affirming the trial and intermediate appellate courts, the Connecticut Supreme Court in Recall Total ultimately determined that the “publication” requirement was not satisfied because, as found by the intermediate appellate court, the plaintiffs “failed to provide a factual basis that the information on the tapes was ever accessed by anyone.” Recall Total Info. Mgmt., Inc. v. Fed. Ins. Co., 83 A.3d 664, 673 (Conn. Super. Ct. 2014), aff’d 115 A.3d 458, 460 (Conn. 2015) (“Our examination of the record and briefs and our consideration of the arguments of the parties persuade us that the judgment of the Appellate Court should be affirmed.”). Significantly, however, the intermediate appellate court in Recall Total noted that there was nothing in the record in that case to suggest that “the unknown party even recognized that the tapes contained personal information.” Recall Total, 83 A.3d at 673 n.9. In contrast to the very unique facts of Recall Total, there should be no question that a “publication” exists to trigger CGL coverage in a typical data breach circumstance. See also Case Highlights Reasons To Consider Data Breach Insurance, Law360 (Jan. 14, 2014),
[11] Portal Healthcare 35 F.Supp.3d at 771.
[13] Id. On this point, Portal Healthcare reaches the a conclusion contrary to the conclusion reached by the New York trial court in the Sony PlayStation coverage litigation, in which the trial court agreed with Sony’s insurers that “coverage is limited to protect against the purposeful and intentional acts committed by the insured or its agents [like third-party hackers], not by non-insureds or third-parties.” Zurich Am. Ins. Co.’s Mem. of Opp. to Sony Computer Entertainment Am. LLC’s Motion for Partial Summary Judgment and in Support of Cross-Motion for Summary Judgment, at p. 16 (Aug. 30, 2013). The trial court in Sony accepted the insurer’s argument that the policy coverage is limited to intentional acts. See Transcript of Proceedings, filed Mar. 3, 2014, at p. 77 (“The question now becomes, was that a publication that was perpetrated by Sony or was that done by the hackers. There is no way I can find that Sony did that.”). See also 5 Reasons The Sony Data Breach Coverage Denial Is Wrong, Law360 (Feb. 28, 2014). Notably, however, the trial court in Sony found that the “publication” requirement was otherwise satisfied—even though, as in Portal Healthcare, there was no evidence that the compromised data at issue in the Sony breach was actually published. See Transcript of Proceedings, filed Mar. 3, 2014, at pp. 42, 77 (“I look at it as a Pandora’s box. Once it is opened it doesn’t matter who does what with it. It is out there. It is out there in the world, that information….We are talking about the internet now. We are talking about the electronic age that we live in. So that in itself, by just merely opening up that safeguard or that safe box where all of the information was, in my mind my finding is that that is publication. It’s done.”).
[14] Portal Healthcare, 35 F.Supp.3d at 771. Separately addressing the “unreasonable publicity” and “discloses” requirements, the district court held that “the facts and circumstances alleged in the class-action complaint gave ‘unreasonable publicity’ to, and ‘disclose[d]’ information about, patients’ private lives ….” Id. at 772. By way of background, insurers typically assert in privacy-related cases that the publication at issue did not violate a “person’s right of privacy” as contemplated by the insurance contract. Courts generally have construed the “right to privacy” requirement broadly and have found the requirement satisfied in a broad spectrum of settings.
[15] 2016 WL 1399517, at *2, *3.
[16] The current CGL standard-form policy covers the “offense” of “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.” ISO Form CG 00 01 04 13 (2012), Section I, Coverage B, §14.e. Considering this verbiage and similar iterations of the standard form language, numerous decisions have found coverage for a wide variety of claims alleging breach of privacy laws and regulations, including data breach.
[17] By way of example, one of the endorsements, entitled “Exclusion - Access Or Disclosure Of Confidential Or Personal Information”, adds the following exclusion to Coverage B:
This insurance does not apply to:
Access Or Disclosure Of Confidential Or Personal Information
“Personal and advertising injury” arising out of any access to or disclosure of any person’s or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of non public information.
This exclusion applies even if damages are claimed for notification costs, credit monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of any access to or disclosure of any person's or organization's confidential or personal information.
CG 21 08 05 14 (2013).
[19] Virtually all “cyber” policies provide defense and indemnity coverage for claims arising out of data breaches and other privacy-related incidents. Importantly, “cyber” policies also typically provide coverage for the costs and expenses associated with “crisis” or “event” management in the wake of a data breach incident, including, for example, breach notification, credit monitoring and counseling services, public relations efforts, and forensics to determine cause and scope of a breach. In addition to privacy-related coverage, most “cyber” policies offer coverage for, among other things, liability and exposure arising out of the transmission of malicious code, denial of third-party access to the insured’s network (DDoS attacks), media liability (for claims for alleging, for example, infringement of copyright and other intellectual property rights), first-party coverage (for loss of the insured’s own data, for example), network/supply chain interruption (covering business interruption and extra expense caused by network incidents), and cyber extortion.
[20] 5 Tips For Success In Cyberinsurance Litigation, Law360 (July 30, 2015)
[21] See, e.g., Travelers Prop. Cas. Co. of Am., et al. v. Federal Recovery Servs., Inc., et al., 103 F.Supp.3d 1297 (D. Utah 2015); Columbia Cas. Co. v. Cottage Health Sys., No., 2:15-cv-03432 (C.D. Cal.) (filed May 7, 2015). See also Takeaways From the First Cyberinsurance Lawsuit, The Legal Intelligencer (Aug. 25, 2015); The Devil in the “Cyber” Insurance Details, K&L Gates Commercial Disputes Alert, (June 11, 2015); Jeff Sistrunk, The State Of Cyber Coverage Law: 4 Key Decisions, Law360 (July 30, 2015)
