Liability Coverage for Claims of Publishing Secret Data Does Not Require Access by Others
On April 11, 2016, the United States Court of Appeals for the Fourth Circuit concluded that general liability insurance covered claims alleging that an insured was negligent in securing private medical records, even where there was no evidence that any third parties had actually viewed the underlying plaintiffs’ medical records. This “unpublished” decision was issued in Travelers Indemnity Company of America v. Portal Healthcare Solutions, LLC less than three weeks after the court heard oral argument. Portal Healthcare accordingly stands for the proposition that “publication” within the meaning of the standard commercial general liability coverage for “personal and advertising injury” only requires that claims against an insured allege that confidential information was made available to the public, without allegations that any third party actually accessed it, to trigger the insurer’s duty to defend.
In Portal Healthcare, the underlying plaintiffs filed a class action complaint alleging, inter alia, that Portal Healthcare, LLC and others responsible for the electronic storage of medical records negligently allowed plaintiffs’ private medical records to be accessible, viewable, printable, and available for copying and downloading via the Internet for over four months. Portal’s insurer commenced a declaratory judgment action in the Eastern District of Virginia seeking a declaration that neither of two liability insurance policies it had previously issued to Portal obligated it to defend Portal in that action. One policy provided that the insurer pay sums Portal becomes legally obligated to pay as damages because of injury arising from the “electronic publication of material that… gives unreasonable publicity to a person’s private life." The other policy set forth the same obligation with respect to the “electronic publication of material that… discloses information about a person’s private life.” Neither policy expressly defined “publication.”
At the summary judgment stage, the insurer argued that the class action complaint did not trigger potential coverage under either policy because it did not allege Portal’s actual “publication” of the private medical records. In particular, the insurer asserted that the complaint did not allege (1) that the medical records were intentionally exposed; or (2) that any third party had actually viewed the medical records.
The District Court in Virginia rejected both of these arguments. First, because the policies did not define the terms “publication,” “publicity,” and “disclose,” the District Court resorted to the plain and ordinary meaning of these terms, as set forth in a dictionary: “publication” means “to place before the public (as through a mass medium)”; “publicity” includes, inter alia, “the quality or state of being obvious or exposed to the general view”; and “disclosure” means “the act or process of making known something that was previously unknown.”
Applying what is known as the “eight corners rule” – which requires a court to determine an insurer’s duty to defend by comparing the policy and the complaint – the District Court then reasoned that “[e]xposing medical records to the online searching of a patient’s name, followed by a click on the first result, at least potentially or arguably places those records before the public” because any member of the public could retrieve a patient’s medical records. The District Court rejected as irrelevant the insurer’s argument that the complaint did not allege that the medical records were intentionally exposed, because the definition of “publication” did not require the publisher’s intent to publish – it merely hinged on whether the information was “placed before the public.”
Likewise, the District Court also rejected the insurer’s argument that coverage was barred because there were no allegations that any third party had viewed any of the plaintiffs’ medical records. The court reasoned that the definition of “publication” does not require actual third party access. Specifically, the District Court concluded that “publication” occurs when information “is placed before the public,” not when a member of the public actually reads the information placed before it. Therefore, the court concluded the complaint alleged that the medical records were “published” as soon as they became accessible to the public via an online search. Finally, the court determined that the public availability of previously confidential medical records gave “unreasonable publicity” to and “disclosed” a patient’s private life because it suddenly made those records known to the public at large. Consequently, the District Court concluded that the insurer was required to defend Portal in the underlying class action. The Court of Appeals subsequently affirmed that decision for the same reasons in its April 11, 2016 opinion.
Portal highlights the concepts of “access” and “accessibility” for purposes of determining whether a “publication” has occurred in this context. Last year, based upon different facts – and in the context of the insurer’s duty to indemnify rather than its duty to defend – the Connecticut Supreme Court in Recall Total Information Management, Inc. v. Federal Insurance Company, 317 Conn. 46 (2015) adopted the Connecticut Appellate Court’s opinion concluding there was no “publication” triggering coverage under a similar liability insurance policy where there were no facts that any third party had accessed the lost data in that case. In Recall, computer tapes containing the personal information of thousands of IBM employees fell out of a subcontractor’s van while being transported and were later removed from the roadway by an unknown person. Recall, 147 Conn. App. 450, 453 (2014). Prior to the filing of any lawsuits, IBM and the implicated contractors entered into settlement negotiations – during which their insurers denied coverage – and then settled their claims against each other. Id. at 454.
The liability policy in Recall obligated the insurer to pay damages because of “personal injury," which was defined as “injury, other than bodily injury, property damage or advertising injury, caused by an offense of… electronic, oral, written or other publication of material that… violates a person’s right to privacy.” Id. at 462. In the ensuing coverage litigation, the plaintiffs in Recall argued on appeal that the trial court incorrectly held that “publication” required communication to a third party instead of using the dictionary definition of “publication,” which was “communication (as of news or information) to the public.” Id. at 463. The Recall plaintiffs further argued that the loss of the IBM tapes was a “publication” of the employees’ personal information to the thief who recovered the tapes and to persons unknown. Id.
The Connecticut Appellate Court rejected that argument in a 2014 opinion for reasons adopted by the Connecticut Supreme Court the following year. The Appellate Court first explained that the issue was not the loss of the physical tapes themselves, but whether the information they contained had been published. Id. It then stated that “we believe that access is a necessary prerequisite to the communication or disclosure of personal information. In this regard, the plaintiffs have failed to provide a factual basis that the information on the tapes was ever accessed by anyone.” Id. at 463, aff’d, 317 Conn. 46 (2015).
As noted above, the court in Portal Healthcare stated that “[p]ublication occurs when information is ‘placed before the public,’ not when a member of the public reads the information placed before it.” Portal Healthcare, 35 F. Supp.3d at 771. In Portal Healthcare, it was clear that the confidential medical records were accessible by the public and indeed had been accessed by the plaintiffs in that case. In Recall, however, there was no evidence that the sensitive data on the tapes had been accessed or disclosed to the public in general.
The District Court in Portal Healthcare seemed to capture this concept when it distinguished Recall. In Portal Healthcare, the insurer relied upon Recall in support of its argument that coverage did not exist because there were no allegations that any third party had viewed the medical records at issue. In a brief analysis, the District Court distinguished Recall by observing that in that case, the tapes were given, at most, only to a single thief, whereas in Portal Healthcare, the confidential medical records were posted on the Internet and therefore divulged to anyone with a computer and Internet access. Portal Healthcare, 35 F. Supp. 3d 765, 771 (E.D. Va. 2014).
Although not stated explicitly in the Appellate Court’s opinion in Recall, there is a suggestion that the confidential data on the tapes was never actually accessible in the first place. In particular, the Appellate Court noted that the record contained an affidavit from an IBM data manager stating that the tapes could not be read by a personal computer. Recall, 147 Conn. App. at 463, aff’d, 317 Conn. 46 (2015). The Appellate Court also observed that the parties in that case had stipulated that none of the IBM employees had suffered injury as a result of the lost tapes, id., and it further remarked elsewhere in its opinion that even though the tapes contained the sensitive data of approximately 500,000 past and present IBM employees, four years had elapsed since the loss of the tapes, and there was no evidence that any of the employees had suffered identity theft or a violation of privacy as a result. Id. at 454.
In any event, it is unlikely that the Court of Appeals’ decision in Portal will have far-reaching import in the context of general liability coverage for data breach claims. First, neither the District Court’s opinion nor the Court of Appeals’ opinion sets forth any broad statements about the potential for data breach coverage under general liability insurance policies. Second, in the last few years, many liability insurers have begun issuing policies with specific endorsements that exclude coverage for data breach claims and “data-related liability.” Other insurers responding to the rise of data breach claims issue endorsements that delete coverage for invasion of privacy claims entirely from the standard definition of “personal and advertising injury.” The increased prevalence of such endorsements in current liability policies is therefore likely to mute the impact of decisions like Portal in the context of data breach claims.
For more information, please contact Sean Mahoney (firstname.lastname@example.org; 215.864.6342), Laura Schmidt (email@example.com; 215.864.6333) or another member of our Insurance Coverage and Bad Faith Group.