The Fourth Circuit holds that commercial general liability insurance – in lack of a specific exclusion – covers right of defense for data breach

insuranceOn April 11, 2016, the Forth Circuit held that Travelers Indemnity Company of America (“Travelers”) had a duty to defend its insured Portal Healthcare Solutions, LLC (“Portal”), sued in a lawsuit for data breach, under the terms of a commercial general liability (CGL) policy (note: not a cybersecurity policy). Travelers Indem. Co. of Am. v. Portal Healthcare Sols., No. 14-1944 (4th Cir., April 11, 2016).

Portal, an electronic record-keeping contractor for Glens Falls Hospital, was sued in New York in 2013 class-action by patients of Glens Falls Hospital, after their medical records had been made publicly available online by Portal (it was proved that a Google search under the patients’ name would allow the display of their records).

Travelers sued Portal in the Eastern District of Virginia, seeking a declaration that it was not bound to defend the insured in the class action “because the class action complaint fails to allege a covered publication by Portal” (there was no evidence that someone actually accessed the records).

On July 17, 2014, the Eastern District of Virginia directed Travelers to defend Portal in the the class action (Travelers Indem. Co. of Am. v. Portal Healthcare Sols., L.L.C., 35 F. Supp. 3d 765 (E.D. Va. 2014)) and Travelers appealed.

The Fourth Circuit affirmed, finding that Travelers had not proved that its policies excluded the defense of lawsuits of this sort. Lacking a specific exclusion, the policy language had to be interpreted broadly, so to cover the duty to defend lawsuits like this:

Under Virginia law, an insurer’s duty to defend an insured is broader than its obligation to pay’ or indemnify an insured, and that the insurer must use language clear enough to avoid . . . ambiguity if there are particular types of coverage that it does not want to provide. Internal citations and quotations omitted.

        Because “the class-action complaint at least potentially or arguably alleges a ‘publication’ of private medical information by Portal that constitutes conduct covered under the Policies.” Internal citations and quotations omitted.

The Fourth Circuit dismissed off-hand Travelers’ allegation that there was no proved access by the public (“any member of the public with an internet connection could have viewed the plaintiffs’ private medical records during the time the records were available online”) finding that “Travelers’s efforts to parse alternative dictionary definitions do not absolve it of the duty to defend Portal”. The Fourth Circuit observed that “courts have been consistent in construing the language of [insurance] policies, where there is doubt as to their meaning, in favor of that interpretation which grants coverage, rather than that which withholds it”. Internal citations and quotations omitted.

Full (unpublished) decision (with no precedential value) here

For more information, Francesca Giannoni-Crystal.