Fourth Circuit Finds Travelers Has a Duty To Defend Cyber Claim

04.18.2016

The United States Court of Appeals for the Fourth Circuit issued an unpublished opinion affirming the judgment of the district court that The Travelers Indemnity Company of America has a duty to defend its insured, Portal Healthcare Solutions, L.L.C., against a class-action lawsuit pending in New York state court.  Travelers Indem. Co. of Am. v. Portal Healthcare Sols., LLC, 35 F. Supp. 3d 765 (E.D. Va. 2014), aff'd sub nom. Travelers Indem. Co. of Am. v. Portal Healthcare Sols., L.L.C., No. 14-1944, 2016 WL 1399517 (4th Cir. Apr. 11, 2016).  The class action plaintiffs allege that Portal posted their confidential medical records on the internet, making their private medical information available to anyone doing a Google search for the patient’s name.  The district court held that exposing medical records online constitutes a “publication” within the meaning of the policies and that this exposure gave “unreasonable publicity” to the patient’s private life.  While Fourth Circuit agreed, the real analysis is in the district court’s ruling.

The Fourth Circuit’s opinion does not re-hash the trial court’s analysis, but rather simply states that Judge Lee properly applied the “Eight Corners Rule” to determine whether Travelers had a duty to defend.  That rule requires a trial court to examine (1) the policy language to ascertain the terms of the coverage, and (2) the underlying class action complaint to determine whether the claims alleged are covered by the policy.  Under Virginia law, the duty to defend is fairly broad—as long as the complaint alleges grounds for liability that are potentially or arguably covered by the policy, then a duty to defend exists.

The Travelers policies at issue contain two key prerequisites to coverage.  First, the policies require an electronic “publication” of material.  Second, the policies require that the published material give “unreasonable publicity” to, or “disclose” information about, a person’s private life.  The policies do not define “publication,”  so the district court applied the term’s plain meaning and determined that the medical records were published the moment they became available online.  Judge Lee rejected Travelers’ arguments that publication did not occur because Portal did not intend to publish the medical records and because there was no allegation that any third party actually viewed the medical records.  As Judge Lee explained, publication occurs when information is placed before the public, not when someone reads the information.  Because the unrestricted posting of medical records online exposed private medical information to the public at large, the court found that the second prerequisite to coverage was also met.

At first blush, the Fourth Circuit’s ruling appears to be pro-policyholder—lending credence to the argument that CGL coverage extends to data breaches.  But policyholders should not rely upon this highly fact-specific decision to justify passing on purchasing cyber coverage.  The Court’s limited holding was that publication occurs when a security breach causes private data to be available online based on the facts as alleged.  The Travelers case does not support an argument that all data security breaches will be, or should be, covered under CGL policies.  When it comes to data breach incidents, policyholders should certainly look for coverage across their entire insurance program (both cyber and traditional coverage).  But any potential overlap in coverage may also be problematic.  For example, different insurers on the same risk may try to point the finger at each other.  The “other insurance” clauses in cyber and CGL policies may take on a new importance if the cyber insurer cites to this case in an attempt to duck coverage.  One thing is clear: in the wake of the Fourth Circuit’s decision, insurers will continue to tighten up their non-cyber policies in order to prevent future findings of coverage under similar policy language.  The chance that the term “publication” remains undefined in insurers’ policies is slim to none.  All the more reason for policyholders to actively seek to add cyber coverage to their insurance programs.