Over the last couple of years, courts have struggled with whether cyber claims could trigger coverage under commercial general liability (CGL) insurance policies. While courts have found most cyber claims will not be covered as “bodily injury” or “property damage” under the typical CGL policy, some courts have struggled with whether cyber claims constitute “publication” under the advertising and personal injury coverage of a typical CGL policy.

Travelers Indemnity Co. v. Portal Healthcare Decision

On April 11, 2016, the 4th U.S. Circuit Court of Appeals issued its unpublished decision in Travelers Indemnity Co. of America v. Portal Healthcare Solutions, L.L.C. In Portal, the 4th Circuit held medical records posted on the Internet could potentially give rise to coverage under a CGL policy.

This coverage action originates with a class action complaint filed against Travelers’ insured, Portal, alleging that Portal’s conduct resulted in the underlying plaintiffs’ medical records being posted on the Internet for more than four months. Travelers initiated the declaratory judgment action seeking a determination that there was no coverage for the class action complaint under two CGL policies it issued to Portal.

In affirming the decision by the U.S. District Court for the Eastern District of Virginia, the 4th Circuit held “that the class-action complaint ‘at least potentially or arguably’ alleges a ‘publication’ of private medical information by Portal that constitutes conduct covered under the Policies.” The 4th Circuit further held “[s]uch conduct, if proven, would have given ‘unreasonable publicity to and disclose[d] information about patients’ private lives,’ because any member of the public with an Internet connection could have viewed the plaintiffs’ private medical records during the time the records were available online.”

Based on this reasoning, the 4th Circuit held Travelers had a duty to defend Portal in the class action. This decision highlights the importance of what happens to the sensitive information and whether there is a “publication” as that term is defined under the typical CGL policy.

Putting the Portal Decision in Context

In contrast, on May 18, 2015, the Connecticut Supreme Court affirmed a lower court’s decision finding there was no insurance coverage for more than $6 million in losses related to the exposure of private information belonging to nearly 500,000 IBM employees. In Recall Total Info. Management, Inc. v. Federal Ins. Co., the insured sought coverage under its CGL policy when it lost data storage tapes storing its customer’s private information. The tapes fell off the back of the insured’s van and it was believed that about 130 of the tapes were taken from the road by an unknown person. The CGL policy at issue provided coverage for “personal injury” which included “publication of material that…violates a person’s right to privacy.”

In analyzing this provision and the facts of this case, the Recall Total court first held there was no dispute that the information on the tapes was private, and, second, that the threshold was whether the information on the tapes had been “published.” In finding there was no coverage, the lower court held there was no evidence that the information on the tapes had been found or used after the tapes fell off the van. In reviewing the evidence, the Court found “[t]here is nothing in the record suggesting that the information on the tapes was ever accessed by anyone.” Specifically, the Recall Total lower court decision addressed the personal injury provision in the following manner:

On the basis of our review of the policy, we conclude that personal injury presupposes publication of the personal information contained on the tapes. Thus, the dispositive issue is not loss of the physical tapes themselves; rather, it is whether the information in them has been published. The plaintiffs contend that the mere loss of the tapes constitutes a publication, and has alleged that the information was published to a thief. The plaintiffs have failed to cite any evidence that the information was published and thereby failed to take their allegation beyond the realm of speculation. See, e.g., Norse Systems, Inc. v. Tingley Systems, Inc., supra, 49 Conn.App. at 591, 715 A.2d 807 (speculation or conjecture will not overcome motion for summary judgment). As the complaint and affidavits are entirely devoid of facts suggesting that the personal information actually was accessed, there has been no publication.

In its concise decision, the Connecticut Supreme Court said there was no purpose in repeating the discussion in the superior court’s “well-reasoned” January 2014 ruling.

While these decisions may arguably not involve a data breach or a classic cyber claim, many commentators believed that the Recall Total court’s reasoning would shed light on how data breach might be viewed from a coverage perspective when there is no evidence that the private or confidential information was actually published to third parties.

Portal’s Contribution to Current State of the Law

Undoubtedly, the Portal decision provides significant guidance on the issue of whether data breaches will be covered under traditional CGL policies. Prior to this decision, the body of law was limited to the reasoning of the Recall Total decision, which was in harmony with the trial court’s decision in Sony’s coverage action against Zurich. In the Sony case, which was settled before the appellate court could render its decision, the New York trial court ruled Zurich had no duty to defend because there was no “publication” under Coverage B of the CGL policy.

When the dust settles, we may see that the Portal decision has little impact with extent to medical records placed on the internet. Not all cyber claims result in information or data posted on the Internet, or in another manner, to third parties. Rather, many cyber claims involve information being taken and used for criminal acts. That is, a court may not find the information taken in the Target breach (credit card information stolen) or similar cyber incidents includes this “publication” element required to trigger CGL coverage.