Earlier this month in an unpublished opinion, the Fourth Circuit Court of Appeals found that Travelers Indemnity Company of America ("Travelers") had a duty to defend its insured against a data breach suit under the terms of its Commercial General Liability ("CGL") policy.
The underlying data breach class-action suit alleged that the insured, Portal Healthcare Solutions, LLC ("Portal"), engaged in negligent conduct that resulted in the plaintiffs' private medical records being publicly available on the internet. Portal was insured by two Travelers' CGL policies during the time of the alleged misconduct by Portal. Travelers sued Portal in the Eastern District of Virginia, seeking a declaration that it was not obliged to defend Portal against the claims in the class-action complaint. As grounds, Travelers argued that the class-action complaint failed to allege a "personal injury" as defined by the CGL policies. Travelers and Portal each moved for summary judgment on the duty-to-defend issue.
Under the policy language, whether a personal injury had been alleged hinged on 1) whether there was "an electronic 'publication' of material"; and 2) whether any "published material gave 'unreasonable publicity' to, or 'disclosed' information about, a person's private life." The district court first determined that an electronic publication had been alleged: "Exposing medical records to the online searching of a patient's name, followed by a click on the first result, as least 'potentially or arguably' places those records before the public." The district court then determined that the allegation that patients' medical records were searchable on the internet gave "unreasonable publicity to a person's private life." As a result, the district court held that "personal injury" had been alleged and Travelers had a duty to defend Portal. The Fourth Circuit "commending the district court for its sound legal analysis" affirmed the judgment on the reasoning of the district court.
The Travelers opinion is yet additional evidence, that whether data breaches are covered by a company's CGL policy, is far from unsettled.