Availability of insurance is often among the first questions that arises when a company encounters a data breach or other Internet-related problem involving company records, even where the company lacks a cyberinsurance policy. The federal Fourth Circuit Court of Appeals recently affirmed a ruling by a District Court that required insurance coverage for an inadvertent disclosure of private healthcare information under the policy’s provisions regarding the publication of material that may give “unreasonable publicity” to, or disclose information about, a person’s private life. Travelers Indem. Co. v. Portal Healthcare Solutions, LLC, Case No. 14-1944 (4th Cir. April 11, 2016) (unpublished). Two patients of Portal Healthcare who found their medical information through a Google search filed a class action suit against the hospital for allegedly having inadvertently made hospital medical records available and unprotected on the Internet. Portal then sought coverage against its insurer, Travelers Indemnity Company.
Travelers, in turn, sought a declaratory judgment that it was not obliged to defend Portal under the traditional policies that Portal had purchased. The trial court found coverage under policy language covering an injury arising from the “electronic publication of material” that discloses information about a person’s private life. See Travelers Indem. Co. v. Portal Healthcare Solutions, LLC, 35 F. Supp. 3d 765 (E.D. Va. 2014). This type of traditional invasion of privacy claim has historically been covered by this type of policy. According to the trial court, the private medical information was “published” because it was available to everyone on the Internet—even though it was unclear whether anyone besides the two plaintiffs had ever accessed it—and because the information clearly related to the patient’s private life. The appellate court agreed with the trial court’s reasoning and affirmed the finding that Travelers had a duty to defend Portal in the suit.
Whether a particular insurance policy will cover a particular data breach depends on the terms of the relevant provisions, and this case may represent a unique situation in both the contractual terms and the facts surrounding the alleged breach. However, the appeals court’s decision is a persuasive reminder that insurance policies are generally read to benefit the insured where possible and where ambiguity lies. Companies managing their data flows should ensure that agreements with vendors appropriately to maximize data protections and appropriately apportion responsibility in the event of breach. Insurance coverage is also an important consideration. In this era of exponential growth in data breach litigation, companies should also carefully examine insurance policies for both coverage and for exclusions, as the insurance industry’s response to this sort of coverage decision may involve added limits on the types of claims that are covered.