Rosen Millennium Inc. (“Millennium”), the cyber security and IT support subsidiary of Rosen Hotels & Resorts, Inc., has appealed to the Eleventh Circuit contending that a Florida federal court ignored Florida insurance law when it ruled that Travelers Insurance Company has no duty to defend it against a multimillion dollar claim arising out of a cybersecurity breach.
In Zurich American Insurance Co. v. Don Buchwald & Associates, Inc., 2018 N.Y. Slip. Op. 33325(U) (Sup. Ct. N.Y. County, Dec. 21, 2017), the Supreme Court of New York held that Zurich was obligated to defend a talent and literary agency against claims brought by Hulk Hogan alleging that the agency aided and abetted one of its agents—Tony Burton—in publishing racist and sexual footage of Hulk Hogan online. The decision also gives ammunition to policyholders seeking to recover their fees incurred while litigating against an insurer’s improper denial of coverage. The court found that the insureds had “been cast in a defensive posture” due to the insurer’s claims seeking a declaratory judgment, and that this justified a fee-shifting award.
A California federal court found coverage under AIG’s general liability policy for the defense and indemnity of email scanning suits against Yahoo!. Those suits generally alleged that Yahoo! profited off of scanning its users’ emails. Because the allegations gave rise to the possibility that Yahoo! disclosed private content to a third party, the court found that the suit potentially fell within the coverage for “oral or written publication, in any manner, of material that violates a person’s right of privacy.” Thus, AIG’s duty to defend was triggered.
The court also found that AIG had a duty to indemnify for Yahoo!’s settlement in the email scanning suits. One key question was whether the settlement amount paid as attorneys’ fees to plaintiff’s counsel constituted damages under the policy. The court concluded that they were, based on the fact that the plaintiffs sought attorneys’ fees under a statute and on its finding that Yahoo! would reasonably expect that those fees would qualify as damages.
Yahoo! had also alleged that AIG acted in bad faith in its claims handling because AIG had denied coverage for the first two lawsuits and then ultimately acknowledged such an obligation with respect to the third lawsuit and in so doing had cited exclusions that were not a part of the policy. The court found that issue was one for a jury to decide.
This decision is another example that valuable cyber coverage for defense and indemnification may be available under general liability policies. Of course, whether there is coverage will depend on the particulars of the claim and the insurance policy.
Hunton Andrews Kurth insurance practice head, Walter Andrews, recently commented to the Global Data Review regarding the infirmities underlying an Orlando, Florida federal district court’s ruling that an insurer does not have to defend its insured for damage caused by a third-party data breach.
Syed Ahmad, a partner in the Hunton & Williams LLP insurance recovery practice, was quoted in an article by Law360 concerning the Fourth Circuit’s April 11, 2016 decision in Travelers Indemnity Company v. Portal Healthcare Solutions, No. 14-1944. In the decision, a panel of the Fourth Circuit affirmed the decision of a Virginia district court, which held in August 2014 that Travelers must defend Portal Healthcare Solutions LLC against a proposed class action alleging that the policyholder’s failure to secure its server made medical records accessible by unauthorized users online. The decision confirms that legacy CGL policies do, indeed, afford coverage for cyber-related liabilities. In the Portal decision, the issue was whether the mere online availability of sensitive information constitutes “publication” for purposes of triggering a CGL policy’s personal or advertising injury coverage and its corresponding duty to defend. The appellate court said it does, and adopted the district court’s reasoning that “[p]ublication occurs when information is ‘placed before the public,’ not when a member of the public reads the information placed before it.” That the information may not have actually been accessed does not factor into whether the information was “published” for purposes of triggering coverage. Rather, the immediate accessibility to on-line information and the broad reach of that material is itself sufficient to amount to the requisite publication. The decision makes perfect sense in the context of web-based content and the ease by which it can be accessed. The decision also provides a sound answer to Mr. Ahmad’s rendition of the age-old question “If a tree falls in a forest and no one is around, does it make a sound?” According to the district court and Fourth Circuit, yes, apparently it does make a sound.
On April 11, 2016, the Fourth Circuit affirmed a trial court’s decision that Travelers must defend a class action against its policyholder, Portal Healthcare Solutions, arising out of Portal’s alleged failure to safeguard confidential medical records. In the class action, the plaintiffs contended that Portal had allowed their private medical records to be accessed on the internet for more than four months by a simple Google search of a patient’s name. Portal sought coverage under provisions in two Travelers policies that provided coverage for alleged injury arising from “electronic publication of material” that “gives unreasonable publicity to a person’s private life” or that “discloses information about a person’s private life.”