In a noteworthy decision on the coverage of data breaches by commercial general liability (CGL) policies, the United States Court of Appeals for the Fourth Circuit affirmed a lower court’s August 2014 holding that Portal Healthcare Solutions LLC (Portal) is covered under its CGL policies with The Travelers Indemnity Company of America (Travelers). The unpublished opinion in Travelers Indemnity Company of America v. Portal Healthcare Solutions, LLC, No. 14-1944 (4th Cir. Apr. 11, 2016) found that Travelers has a duty to defend Portal for a civil lawsuit pending in New York state court related to the disclosure of confidential patient information.

The underlying putative class action, filed in April 2013, alleges that Portal negligently failed to secure a server containing confidential records for certain patients. As a result, the records allegedly were available for anyone to view online. According to the plaintiffs’ allegations, two of the patients searched for themselves on Google and discovered that their medical records were publicly available.

Under Portal’s CGL policies with Travelers, coverage is triggered when Portal becomes obligated to pay damages because of injury arising from the “electronic publication of material that … gives unreasonable publicity to a person’s private life” or “discloses information about a person’s private life.” The term “publication” is undefined in the policies. The district court held that “exposing confidential medical records to public online searching placed highly sensitive, personal information before the public,” resulting in “publication” under Portal’s CGL policies.

The appellate court affirmed the district court, reasoning that “[u]nder Virginia law, an insurer’s duty to defend an insured ‘is broader than its obligation to pay’ or indemnify an insured.” The Fourth Circuit emphasized that the onus is on the insurer to draft clear policies regarding the scope of coverage: An insurer must “use ‘language clear enough to avoid … ambiguity’ if there are particular types of coverage that it does not want to provide.”

The opinion is a reminder of the evolving legal landscape regarding insurance coverage for data breaches and the need for consulting counsel when evaluating coverage.