In an unpublished opinion issued Monday, April 11, 2016, the Fourth Circuit Court of Appeals upheld a district court’s grant of summary judgment finding that Travelers had a duty to defend its insured, Portal Healthcare Solutions, L.L.C., under a commercial general liability (“CGL”) policy in a class-action suit alleging the publication of private medical records. This decision is at odds with at least two state court decisions, including one by the Connecticut Supreme Court, which held that traditional CGL policies do not provide coverage for liabilities arising out of cyber security issues.

Travelers had issued two CGL policies Portal, in 2012 and 2013, which obligated Travelers to defend Portal for injury arising from (1) “the electronic publication of material that . . . gives unreasonable publicity to a person’s private life” (2012 Policy) or (2) “the electronic publication of material that discloses information about a person’s private life” (2013 Policy). On April 18, 2013, a class-action suit was filed in New York state court alleging that Portal failed to safeguard the confidential medical records of patients at Glen Falls Hospital (“Glen Falls”), posting those records on the Internet and causing those records to become publicly accessible on the Internet.

Finding that the underlying complaint at least “potentially or arguably” alleged an electronic “publication” of material, the court noted that while the term “publication” was not defined in the policies, placing medical records before the public fell within the plain meaning of “publication.” The court also pointed out that the definition of “publication” does not hinge on the would-be publisher’s intent, concluding that an “unintentional publication is still a publication.” The court also found that the publication of the medical records constituted “unreasonable publicity” to, and “disclosed” information about, patient’s private lives, under the plain meaning of the respective terms. It also dismissed Travelers’ argument that this had not been a “publication” because no third parties had viewed the information, stating that “publication occurs when information is ‘placed before the public,’ not when a member of the public reads the information placed before it. Because the allegations in the complaint possibly fell within the plain meaning of the applicable policy provisions, the court granted summary judgment in favor of Portal, finding that Travelers had a duty to defend in the underlying litigation.

On appeal, the Fourth Circuit commended the district court for its “sound legal analysis,” and provided very little of its own. Rejecting Travelers’ “efforts to parse alternative dictionary definitions,” the court adopted the district court’s finding that the underlying complaint “at least potentially or arguably” alleges a “publication” of private medical information that constitutes conduct covered under the policies. The court opined that, if the alleged conduct was proven, it would lead to “unreasonable publicity to, and disclosed information about patients’ private lives” as any member of the public with an Internet connection would be able access such records.

In the district court’s view, what Portal did by posting the records was engage in the process of making previously unknown records suddenly known to the public at large and thus, the records were “disclosed” the moment they were posted publicly online, regardless of whether a third party viewed them. By accepting the argument that the failure to secure a sever is a “publication” under that term’s plain meaning, the Fourth Circuit departed from traditional notions of what constitutes a “publication,” yet failed to adopt a concrete definition of the term in this context. This combination will undoubtedly create some degree of uncertainty moving forward, which will be tempered by the fact that most modern CGL policies do contain cyber exclusions. Nevertheless, Portal reasons that insurance companies faced with cyber-related claims should carefully consider their coverage obligations under the CGL policy.