When it comes to insurance coverage for cyber risks, uncertainty continues to reign supreme. Cyber liability insurance is constantly evolving, and while dozens of insurers currently offer a cyber liability product, coverages are not standard from policy to policy. Given the varying nature of cyber risks, any number of different policies may respond to provide coverage for a cyber-related claim in some way, shape or form. Oddly enough, this now includes the commercial general liability (CGL) policy.
In a recent unpublished decision, the U.S. Court of Appeals for the Fourth Circuit upheld a district court’s grant of summary judgment, finding that Travelers had a duty to defend its insured under a CGL policy in a class-action suit alleging the publication of private medical records. The Travelers Indem. Co. of America v. Portal Healthcare Solutions, 644 Fed. Appx. 245 (4th Cir. 2016). This decision is at odds with at least two state court decisions, including one by the Connecticut Supreme Court in Recall Total Information Management v. Federal Ins., 317 Conn. 46 (2015), which held that traditional CGL policies do not provide coverage for liabilities arising out of cyber risks. See also Zurich Am. Ins. v. Sony, 2014 WL 3253541 (N.Y. Sup. Ct. Feb. 21, 2014) (insurer had no duty to defend under CGL policy in connection with a 2011 cyberattack since the breached information was published by the hackers, not Sony itself, and the policy required that the “publication” result from the policyholder’s own actions).
Travelers had issued two CGL policies to Portal, in 2012 and 2013, which obligated Travelers to defend Portal for injury arising from (1) “the electronic publication of material that … gives unreasonable publicity to a person’s private life” (2012 policy) or (2) “the electronic publication of material that discloses information about a person’s private life” (2013 policy). On April 18, 2013, a class-action suit was filed in New York state court alleging that Portal failed to safeguard the confidential medical records of patients at Glen Falls Hospital, posting those records on the internet and causing those records to become publicly accessible on the internet.
Finding that the underlying complaint at least “potentially or arguably” alleged an electronic “publication” of material, the court noted that while the term “publication” was not defined in the policies, placing medical records before the public fell within the plain meaning of “publication.” The court also pointed out that the definition of “publication” does not hinge on the would-be publisher’s intent, concluding that an “unintentional publication is still a publication.” The court also found that the publication of the medical records constituted “unreasonable publicity” to, and “disclosed” information about, patients’ private lives, under the plain meaning of the respective terms. It also dismissed Travelers’ argument that this had not been a “publication” because no third parties had viewed the information, stating that “publication occurs when information is ‘placed before the public,’ not when a member of the public reads the information placed before it. Because the allegations in the complaint possibly fell within the plain meaning of the applicable policy provisions, the court granted summary judgment in favor of Portal, finding that Travelers had a duty to defend in the underlying litigation.
On appeal, the Fourth Circuit commended the district court for its “sound legal analysis,” and provided very little of its own. Rejecting Travelers’ “efforts to parse alternative dictionary definitions,” the court adopted the district court’s finding that the underlying complaint “at least potentially or arguably” alleges a “publication” of private medical information that constitutes conduct covered under the policies. The court opined that, if the alleged conduct was proved, it would lead to “unreasonable publicity to, and disclosed information about patients’ private lives” as any member of the public with an internet connection would be able access such records.
In the district court’s view, what Portal did by posting the records was engage in the process of making previously unknown records suddenly known to the public at large and, thus, the records were “disclosed” the moment they were posted publicly online, regardless of whether a third party viewed them. By accepting the argument that the failure to secure a sever is a “publication” under that term’s plain meaning, the Fourth Circuit departed from traditional notions of what constitutes a “publication,” yet failed to adopt a concrete definition of the term in this context. This combination will undoubtedly create some degree of uncertainty moving forward, which will be tempered by the fact that most modern CGL policies contain cyber exclusions. Nevertheless, Portal reasons that insurance companies and business alike should be mindful of the potential for coverage under the CGL form.
Cybersecurity & Data Privacy