Fourth Circuit Requires CGL Insurer to Defend Data Breach Class Action

The increasing market for cyber insurance policies combined with the addition of cyber exclusions has cooled litigation over whether a cyber breach triggers coverage under a commercial general liability (CGL) policy and whether a CGL insurer owes a duty to defend litigation arising from a cyber breach. However, the expansion of cyber insurance and integration of cyber exclusions has not the stemmed litigation under older CGL policies, many of which do not include cyber exclusions. Earlier today, the Fourth Circuit Court of Appeals addressed cyber coverage under a traditional CGL policy in Portal Healthcare v. Travelers Indemnity Company, Case No. 14-1944.

Portal arose after plaintiffs filed a putative class action, alleging that Portal negligently failed to secure a server containing confidential records for patients at a hospital, thereby making the records available for anyone to view online without a password. The insured argued that Travelers owed a duty to defend that class action because the medical records company published, and therefore disclosed, confidential information, triggering the personal and advertising injury coverage provision in the CGL policy. Travelers disagreed, arguing that the failure to secure a server is not a publication. Publication, Travelers argued, requires the deliberate step of disseminating the records – which was not alleged.

The Fourth Circuit accepted the insured’s argument, with little explanation or analysis. Commending the district court for limiting its analysis to the complaint and policy, the court concluded that “the class-action complaint ‘at least potentially or arguably’ alleges a ‘publication’ of private medical information by Portal that constitutes conduct covered under the Policies.” The court did not explain why a failure to secure a private server satisfies the plain meaning of the word publication, but instead accepted the conclusion that the possibility of pubic access constitutes publication: “Such conduct, if proven, would have given ‘unreasonable publicity to, and disclose[d] information about, patients’ private lives,’ because any member of the public with an internet connection could have viewed the plaintiffs’ private medical records during the time the records were available online.”

Portal should have limited impact on modern CGL policies because the cyber exclusions therein resolve the question of whether there is a duty to defend cyber breach litigation. However, within the Fourth Circuit, Portal suggests that a CGL insurer should carefully review cyber-related claims. Portal should be limited to the unique facts underlying the claim (in that records were made publicly available), but the Court’s failure to provide a definition of publication leaves the scope of this decision open to discussion.