March 24, 2016 the Fourth Circuit heard oral arguments in Travelers Indemnity
Co. v. Portal Healthcare Solutions, No. 14-1944 (4th Cir. Mar. 24, 2016). This
potentially precedent-setting case tackles the issue of whether traditional
commercial general liability ("CGL") insurance policies provide
coverage for liability arising out of cyber-security issues, such as a failure
to secure confidential customer data.
CGL policies at issue in the case provide coverage for "those sums that
the insured becomes legally obligated to pay as damages because of 'personal
injury' . . . to which this insurance applies." One of the subject
policies defines "personal injury" to include, inter alia,
"Oral, written or electronic publication of material that . . . gives unreasonable
publicity to a person's private life." The other subject policy defines
"personal injury" to include, inter alia, "Oral or written
publication, including publication by electronic means, of material that . . .
[d]iscloses information about a person's private life."
insured, Portal Health Care Solutions, LLC ("Portal"), a healthcare
provider, was sued by several of its patients for failing to adequately
safeguard their private and confidential health information after they were
able to access their medical records online through Google. Portal sought
coverage for the claims under the subject policies, and the insurer, Travelers
Indemnity Co. ("Travelers"), filed an action for declaratory judgment
to determine its rights and obligations under the policies. On summary judgment
in the declaratory judgment action, the district court held that Travelers must
provide coverage for Portal in the underlying class action suit because Portal's
handling of its patients' data constituted a "publication" of the
material that gave "'unreasonable publicity' to, and disclose[d]'
information about patients' private lives within the meaning of the"
subject policies. See Memorandum Opinion and Order, Travelers Indemnity Company
of America v. Portal Healthcare Solutions, LLC, 1:13-cv-00917 (GBL) (E.D. Va.
Aug. 7, 2014).
appeal to the Fourth Circuit, Travelers argued that the district court's
holding constituted a "serious error" by ruling that failure to
secure the patient's data constituted "publication" of the data.
Travelers contended that "publication" requires actual action to
disseminate the information amongst the public, not just a lack of security.
Portal countered in their brief that the only thing that mattered in this case
was that the underlying complaint alleged "publication," thus
triggering coverage, because it compares Portal's actions to "leaving a
book in a public place where anyone can read it." In a separate amicus
curiae brief, the American Insurance Association argued that Portal was simply
trying "to shoehorn into the terms of its traditional general liability
Policies the claim that it failed to safeguard the [underlying] plaintiffs'
Fourth Circuit's decision in this case could have far-reaching implications for
the coverage available for cyber-attacks. Although in this case no third-party
penetrated defenses set up by Portal, if the Fourth Circuit upholds the lower
court's finding of coverage, companies that are the victim of hacking attacks
by third-parties could also argue for coverage under existing similar CGL policies.
Under this theory, a company would "publicize" its customers'
confidential data when hackers access the data.
in the event the Fourth Circuit upholds the lower court's decision, it is
unlikely that coverage under most future CGL policies would be available.
Rather, insurers are likely to increase their reliance on broad "cyber
exclusions" in CGL policies. These exclusions preclude coverage for losses
stemming from cyber-events, such as data breaches. Companies seeking coverage
would have to purchase separate cyber-insurance policies -- at an additional
premium -- to provide coverage for those events.
Portal case could increase the scope of coverage available for insureds under
existing CGL insurance policies to include claims for liability stemming from
cyber-attacks. Insurance companies as well as CGL and cyber-insurance policy
holders should carefully watch the Fourth Circuit's decision in the coming
month to understand the full extent and limits of their coverage.