In a noteworthy decision on the coverage of data breaches by commercial general liability (CGL) policies, the United States Court of Appeals for the Fourth Circuit affirmed a lower court's August 2014 holding that Portal Healthcare Solutions LLC (Portal) is covered under its CGL policies with The Travelers Indemnity Company of America (Travelers). The unpublished opinion in Travelers Indemnity Company of America v. Portal Healthcare Solutions, LLC, No. 14-1944 (4th Cir. Apr. 11, 2016) found that Travelers has a duty to defend Portal for a civil lawsuit pending in New York state court related to the disclosure of confidential patient information.

The underlying putative class action, filed in April 2013, alleges that Portal negligently failed to secure a server containing confidential records for certain patients. As a result, the records allegedly were available for anyone to view online. According to the plaintiffs' allegations, two of the patients searched for themselves on Google and discovered that their medical records were publicly available.

Under Portal's CGL policies with Travelers, coverage is triggered when Portal becomes obligated to pay damages because of injury arising from the "electronic publication of material that ... gives unreasonable publicity to a person's private life" or "discloses information about a person's private life." The term "publication" is undefined in the policies. The district court held that "exposing confidential medical records to public online searching placed highly sensitive, personal information before the public," resulting in "publication" under Portal's CGL policies.

The appellate court affirmed the district court, reasoning that "[u]nder Virginia law, an insurer's duty to defend an insured 'is broader than its obligation to pay' or indemnify an insured." The Fourth Circuit emphasized that the onus is on the insurer to draft clear policies regarding the scope of coverage: An insurer must "use 'language clear enough to avoid ... ambiguity' if there are particular types of coverage that it does not want to provide."

The opinion is a reminder of the evolving legal landscape regarding insurance coverage for data breaches and the need for consulting counsel when evaluating coverage.

Originally published 14 April 2016

Visit us at

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2016. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.