Fourth Circuit Holds CGL Insurer Must Defend Policyholder For Information Posted On The Internet
April 15, 2016
On April 11, 2016, a partial panel of the Fourth Circuit Court of Appeals in Travelers Indemnity Co. of Amer. v. Portal Healthcare Solutions, LLC, affirmed a significant coverage decision with respect to the breach of medical records posted on the internet.
Portal Healthcare, a business specializing in the electronic safekeeping of medical records, inadvertently posted the confidential medical records of patients on the internet, which became potentially accessible to anyone who had performed a search of the patient’s name. Some of the affected patients commenced a class action lawsuit in New York against Portal Healthcare, to which Portal Healthcare sought coverage from its primary comprehensive general liability (“CGL”) insurer. In the unpublished decision, the Fourth Circuit agreed with the district court that the insurer must defend its policyholder under two (2) primary CGL policies, which modified the “publication” offense within Coverage B (Personal and Advertising Injury Liability). The decision is noteworthy because it adds to the growing and divided national authority as to what constitutes a “publication.”
In the decision reached below, the district court, applying Virginia law, held the insurer had a duty to defend Portal Healthcare because the class action complaint “at least potentially or arguably” alleges a publication within the meaning of the endorsements. The court found that placing this information online caused “unreasol;;nable publicity” or “disclos[ed] information about” a person’s private life. The district court rejected the insurer’s arguments that Portal Healthcare did not intentionally expose the records to the public or that there was no allegation that a third-party (other than the patients) had viewed the information. The district court reasoned that the plain definition of the term “publication” did not depend upon the publisher’s intent or whether a third-party has access to the information. The district court further explained that a “publication” occurs when the information is “placed before the public” and not when “a member of the public reads the information placed before it.”
In affirming the decision, the Fourth Circuit “commend[ed] the district court for its sound legal analysis” in applying the duty to defend standard. The Fourth Circuit also rejected the insurer’s “efforts to parse alternative dictionary definitions “ in order to absolve itself from defending Portal Healthcare, and cited cases for the proposition that the meaning of any ambiguous term is to be construed in favor of coverage.
Despite the Fourth Circuit’s holding that a “publication” may occur by merely posting the information on the internet, other courts have construed the meaning of the term “publication” within the “oral or written” publication offense more narrowly to require a communication intended for the public or the act of distributing information to the public. See, e.g., Creative Hospitality Ventures, Inc. v. United States Liab. Ins. Co., 444 Fed. Appx. 370, 376 (11th Cir. 2011) (holding that there was no publication if the insured “neither broadcasted nor disseminated the . . . information to the general public”); TIG Ins. Co. v. Dallas Basketball, Ltd., 129 S.W.3d 232, 238 (Tex. App. 2004) (“the word ‘publish’ is generally understood to mean disclose, circulate, or prepare and issue printed material for public distribution”); Ticknor v. Rouse’s Enter., LLC, 2014 U.S. Dist. LEXIS 21129 (E.D. La. Feb. 20, 2014) (“for there to be ‘publication’ under the ‘personal and advertising’ provision . . . the material must be made generally known, announced publicly, disseminated to the public, or released for distribution”).
The Fourth Circuit’s decision also must be distinguished from other types of cyber claims, such as those arising from cyber-attacks. In Zurich Amer. Ins. Co. v. Sony Corp. of Amer., 2014 N.Y. Misc. LEXIS 5141 (N.Y. Sup. Ct., Feb. 24, 2014), the New York State Supreme Court held that the primary CGL insurers had no duty to defend Sony for several class action lawsuits arising from cyber-attacks that occurred on the PlayStation and SOE Networks because the publication was caused by the hackers, not by any of the insureds. In so holding, the trial court rejected any efforts by Sony to expand the “oral or written” publication offense to include negligent acts in failing to safe keep the confidential information. Instead, the trial court held that the offense is only triggered whenever the insured purposely or intentionally causes the publication act, which, in that case, did not occur as the hackers stole the information.
If you have any questions about the decision, please feel free to contact Kevin T. Coughlin (973)-631-6001, email@example.com) or Steven D. Cantarutti (973-631-6060, firstname.lastname@example.org).
See Travelers Indem. Co. v. Portal Healthcare Solutions LLC, 35 F. Supp.3d 765 (E.D. Va. 2014).
 The “Web Xtend Liability” Endorsement in the 2012 policy included coverage for a personal injury that results in “electronic publication of material that . . . gives unreasonable publicity to a person’s private life.” The “Amendment of Coverage – Personal and Advertising Injury Liability” Endorsement in the 2013 policy included coverage for a personal injury that results in “electronic publication of material that . . . discloses information about a person’s private life.”
 Coughlin Duffy represented Zurich American Insurance Company in the Sony case.