In a verdict that runs contrary to recent judicial decisions under similar circumstances, a federal appeals court yesterday upheld a ruling that insurance firm Travelers Indemnity Company of America, under the terms of a commercial general liability (CGL) policy, has a duty to defend its client Portal Healthcare Solutions in a lawsuit stemming from an electronic data breach.
A three-judge panel presiding over the U.S. Fourth Circuit Court of Appeals in Virginia proclaimed that Travelers, the appellant, failed to prove that its two CGL policies with Portal excluded the defense of a 2013 class-action lawsuit filed by patients of Glens Falls Hospital, whose confidential medical records were publicly posted online by Portal, the hospital's contracted electronic record-keeping service.
“I think it's a shocker to CGL insurers to see a decision like this,” Robert Bregman, senior research analyst at the International Risk Management Institute (IRMI), an insurance industry educational organization, told SCMagazine.com. “CGL insurers don't really think that they should be on the hook for this type of claim. They see this as a cyber and privacy claim, not a general liability claim.”
A lower court in the Eastern District of Va. had previously concluded that the breach was covered under the CGL policies' personal and advertising injury coverage provision, which requires Travelers to render services and payment in the event of “electronic publication of material” that results in “unreasonable publicity” for those people identified within said material.
Travelers had argued in the original case, and during its appeal, that the medical patients' information was not technically “published,” per se, unless it could be proven that a third-party actually reviewed the data. (The records were discovered to be publicly accessible if someone conducted a Google search of a patient's name and clicked on the first result.) The appeals court, in its unpublished per curiam opinion, criticized Travelers' argument as an effort “to parse alternative dictionary definitions,” and asserted that in the absence of specific exclusionary language within a CGL policy, the insurer's responsibilities must be interpreted broadly.
Moreover, the appeals court affirmed that the online publishing of patients' medical records, if proven in court, would meet the threshold of unreasonable publicity “because any member of the public with an Internet connection could have viewed the plaintiffs' private medical records during the time the records were available online.”
A legal analysis by Insurance Journal today noted that the court ruling was “at odds” with recent state court rulings in Connecticut and New York, in which CGL policies were found not to implicitly cover damage from cyberattacks and data breaches. In the New York case, the court ruled that Zurich American Insurance Co. did not have a duty to defend its client Sony following the 2011 hacking of its PlayStation gaming services because acts by bad actors do not amount to “oral or written publication…that violates a person's right of privacy.”
Bregman expressed surprise with the ruling, noting that typically a personal and advertising injury provision within CGL policies are meant to address libel or plagiarism, not privacy issues related to data exposure. While unpublished rulings such as this cannot be cited as legal precedent, insurers with older CGL policies that don't specifically address cyber issues may still be wary of similar rulings moving forward. “The upshot is, there are going to be more exclusionary clauses in upcoming CGL policies as these type of cyber claims” continue to proliferate, Bregman said.