The United States Court of Appeals for the Fourth Circuit (“Fourth Circuit”) recently concluded that an insurer had a duty to defend a health care company that was sued by individuals whose personal health information was breached. Travelers Indemnity Company of America v. Portal Healthcare Solutions, LLC, No. 14-1944 (4th Cir., Apr. 11, 2016). Though the facts of this matter are somewhat unique, this case constitutes an important opinion for businesses considering applicable insurance coverage for data breach and cybersecurity losses. As plaintiffs’ attorneys throughout the country focus on data breach and privacy litigation, including class action claims in that context, it is important to assess coverage in light of this new decision.
 
The underlying lawsuit alleged that a health care information company engaged in conduct that resulted in the plaintiffs’ private medical records being on the internet for more than four months. During the period when the alleged conduct occurred, Portal, the health information company, was insured under two policies issued by Travelers for commercial general liability. This is the type of insurance that most business owners regularly maintain to insure their business operations and premises, and was not the separate cyber insurance that is offered by many insurers today.
 
Travelers contended that it did not have a duty to defend because Portal’s actions did not constitute a covered “publication” under the CGL policy. The Fourth Circuit assessed the District Court’s thorough analysis of Virginia law regarding duty to defend principles and types of coverage. The Court noted the district court’s finding that “the insurer must use ‘language clear enough to avoid . . . ambiguity’ if there are individual types of coverage that they do not want to provide.” Accordingly, the Fourth Circuit explained that the plaintiffs’ class action complaint “at least potentially or arguably” alleged a “publication” of private medical information by Portal that constitutes conduct covered under the policies. The alleged conduct, if proven, would have given “unreasonable publicity to, and disclose information about patients’ private lives,” because any member of the public with an internet connection could view the plaintiffs’ private medical records during the time the records were available on the internet.
 
With increased cybersecurity concerns and expensive remediation and breach notification costs, insurance coverage for such losses is important. The holding in this case is limited and non-precedential because the decision was unpublished. Also, this particular case is factually distinguishable from many others because it involved the insured’s own negligence that resulted in the publication of such data on the internet for a four-month period. Contrast such a publication to data breach or security incidents caused by outside hackers or other misconduct which other court cases have addressed and which is more frequently denied under traditional CGL policies. Finally, newer CGL policies contain updated provisions and endorsements addressing data security issues.
 
Should you have any questions or concerns regarding your entity’s cyber insurance coverage and data breach preparedness, please contact Spilman Thomas & Battle, PLLC.