Fourth Circuit Finds Insurer Must Defend Data Breach Claims Against Its Insured Under Its Standard CGL Policy

Commercial General Liability policies have, for several decades, included advertising and personal injury coverage. Such coverage is afforded for injury caused by various enumerated offenses, including breach of privacy. Although the precise terms of CGL policies vary, under some policies covered offenses include publication of material that discloses information about, or gives unreasonable publicity to, a person’s private life. What it means to advertise or publish often gives rise to disputes between insurers and their policyholders, with insurers often arguing that these terms require widespread and intentional dissemination of information by a policyholder. On April 11, 2016, the Fourth Circuit Court of Appeals held otherwise, concluding that when private data can be retrieved from the Internet, it constitutes “publication,” triggering an insurer’s duty to defend even where there is no allegation that the policyholder publicized the data and/or that the data was actually accessed by the public. As Joe Fields, the Insurance Coverage Group's Special Counsel reported to Law360 (Insurance), the ruling bolsters policyholders' claims for coverage given the Court’s express finding that, when private data can be retrieved from a public server, there has been a publication.

When patients found their private medical records online following their own Google search, they filed a class action lawsuit against Portal Healthcare Solutions, LLC, alleging that Portal was liable for posting confidential medical records on the Internet. Portal sought a defense from its insurer, Travelers Indemnity Co. of America, who instead sued Portal in the Eastern District of Virginia (No. Civ. 1:13-cv-917 (GBL)), seeking a declaration that it owed no coverage to Portal for the class action. Both Portal and Travelers moved for summary judgment as to Travelers’ defense obligations. Travelers argued that “publication” involved more than placing the private information before the public, noting that no third party was alleged to have viewed the information. The District Court observed that publication was not a defined term in Travelers’ policies. They provided, however, that Travelers was legally obligated to pay damages due to injury arising from (1) the “electronic publication of material that ... gives unreasonable publicity to a person’s private life” (the language found in the 2012 policy) or (2) the “electronic publication of material that ... discloses information about a person’s private life” (the language found in the 2013 policy). The Court explained that under Virginia law, the duty to defend is broader than the duty to indemnify, and observed that an insurer’s coverage obligations can be discerned by comparing its policy’s provisions to the allegations of the complaint. In so doing, the District Court explained that the policies contain two relevant prerequisites to coverage. First, the policies require an electronic publication of material. Second, they require that the published material give “unreasonable publicity” to, or “disclose” information about, a person’s private life. Using this framework, the Court found that publication occurs when information “is placed before the public” and that the policies contained no requirement that third parties access it. The District Court therefore granted Portal’s motion for summary judgment.

The Fourth Circuit affirmed in a written opinion adopting the reasoning of the District Court. The Court of Appeals noted the “sound legal analysis” employed by the District Court, and explained that Travelers’ efforts to parse alternative dictionary definitions of publication could not absolve it of its duty to defend Portal. The Court of Appeals, indeed, reminded that when construing insurance policies’ terms, courts must resolve all doubt as to their meaning in favor of an interpretation which grants coverage, not withholds it.

The takeaway here is that all companies should evaluate the extent to which their insurance programs contain data breach coverage before an actual or suspected breach occurs. Notwithstanding the Fourth Circuit’s ruling, law in this area remains fact-specific and mixed. Moreover, some insurers have issued policy endorsements limiting personal and advertising injury coverage for offenses relating to breach of privacy and disclosure of confidential information. Many insurers also offer cyber policies and endorsements to respond to these types of risks. If you have questions or concerns, McCarter & English’s Cybersecurity and Data Privacy Task Force is happy to help. McCarter & English’s Insurance Coverage Group also regularly reviews insurance policies to evaluate the scope of existing coverage relative to cybersecurity and data breach risks.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© McCarter & English, LLP | Attorney Advertising

Written by:

McCarter & English, LLP
Contact
more
less

McCarter & English, LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.