Hunton Andrews Kurth insurance practice head, Walter Andrews, recently commented to the Global Data Review regarding the infirmities underlying an Orlando, Florida federal district court’s ruling that an insurer does not have to defend its insured for damage caused by a third-party data breach.
Syed Ahmad, a partner in the Hunton & Williams LLP insurance recovery practice, was quoted in an article by Law360 concerning the Fourth Circuit’s April 11, 2016 decision in Travelers Indemnity Company v. Portal Healthcare Solutions, No. 14-1944. In the decision, a panel of the Fourth Circuit affirmed the decision of a Virginia district court, which held in August 2014 that Travelers must defend Portal Healthcare Solutions LLC against a proposed class action alleging that the policyholder’s failure to secure its server made medical records accessible by unauthorized users online. The decision confirms that legacy CGL policies do, indeed, afford coverage for cyber-related liabilities. In the Portal decision, the issue was whether the mere online availability of sensitive information constitutes “publication” for purposes of triggering a CGL policy’s personal or advertising injury coverage and its corresponding duty to defend. The appellate court said it does, and adopted the district court’s reasoning that “[p]ublication occurs when information is ‘placed before the public,’ not when a member of the public reads the information placed before it.” That the information may not have actually been accessed does not factor into whether the information was “published” for purposes of triggering coverage. Rather, the immediate accessibility to on-line information and the broad reach of that material is itself sufficient to amount to the requisite publication. The decision makes perfect sense in the context of web-based content and the ease by which it can be accessed. The decision also provides a sound answer to Mr. Ahmad’s rendition of the age-old question “If a tree falls in a forest and no one is around, does it make a sound?” According to the district court and Fourth Circuit, yes, apparently it does make a sound.
On April 11, 2016, the Fourth Circuit affirmed a trial court’s decision that Travelers must defend a class action against its policyholder, Portal Healthcare Solutions, arising out of Portal’s alleged failure to safeguard confidential medical records. In the class action, the plaintiffs contended that Portal had allowed their private medical records to be accessed on the internet for more than four months by a simple Google search of a patient’s name. Portal sought coverage under provisions in two Travelers policies that provided coverage for alleged injury arising from “electronic publication of material” that “gives unreasonable publicity to a person’s private life” or that “discloses information about a person’s private life.”