Insights: Alerts General Liability Coverage for Cyber Risks Arising from "Publication" of Private Data
Courts have disagreed regarding the requirements for proof of publication of private data—is “potential” credit or identity theft enough, or must actual access to and/or misuse of the data by a third party be proven? In a potentially landmark case decided on April 11, 2016, the United States Court of Appeals for the Fourth Circuit has affirmed a ruling of a district court in Virginia holding that proof that a third party actually read and misused private data is not required to satisfy the “publication” requirement of a CGL policy. Travelers Indem. Co. of America v. Portal Healthcare Solutions, L.L.C., __ Fed. Appx. ___, __ Westlaw ___, Case No. 14 1944 (4th Cir., April 11, 2016), aff’g, 35 F. Supp. 3d 765 (E.D. Va. 2014).
In Portal Healthcare, the trial court addressed the question of whether or not Travelers had a duty to defend its insured against class action claims arising out of the posting on the internet of confidential medical records, thereby “making the records available to anyone who searched for a patient’s name….” 35 F. Supp.3d at 767. Travelers argued, as have other carriers in cases decided elsewhere, that there was no publication of the private data “because no third party is alleged to have viewed the information.” Id. at 770. The trial court disagreed. The court ruled that “the issue is not whether a third party accessed the information because the definition of ‘publication’ does not hinge on third-party access.” Id. at 771. Rather, citing the general, pro-insured rules of policy interpretation in Virginia (and elsewhere) when there are “uncertainties” in policy language, the court noted that the term “publication” was not defined by the policies at issue. Relying on a dictionary definition, the court ruled that “publication” of private data occurs when private “information is ‘placed before the public,’ not when a member of the public reads the information placed before it.” Id.
In reaching this result, the trial court distinguished other cases, such as Creative Hospitality Ventures, Inc. v. U.S. Liability Ins. Co., 444 Fed. Appx. 370 (11th Cir. 2001) and Recall Total Info Mgmt., Inc. v. Fed. Ins. Co., 147 Conn. App. 450, 83 A.3d 664 (2013), aff’d 317 Conn. 46, 115 A.3d 458 (2015) (per curiam) finding that no publication occurred absent proof that a third party actually read and/or misused the private data at issue. In Creative Hospitality, a FACTA case, the improperly disclosed credit card information was disclosed only to the credit card holder and not to any third party. In Recall, private data on unencrypted computer tapes had been compromised when the tapes were lost on a public highway (arguably placed before the public) and stolen by a thief. Absent evidence that the thief had read or misused any of the private data on the tapes, the Connecticut courts ruled that no publication had occurred. Distinguishing Recall, the Portal Healthcare court decided that the private medical information at issue was “given not just to a single thief but to anyone with a computer and internet access,” thereby satisfying the publication requirement. The court also ruled that the public availability of the records on the internet also satisfied the policies’ coverage for “unreasonable publicity” about the plaintiffs’ private life because the insured had “posted their medical records on line without security restriction.” Id. at 772. Echoing its publication ruling, the district court concluded that “the records were disclosed the moment they were posted publicly online, regardless of whether a third party viewed them.” Id.
The Fourth Circuit’s unpublished, per curiam affirmance commended the Virginia district court’s “sound legal analysis.” (Fourth Circuit Slip Op. p. 6). The policyholder prevailed in Portal Healthcare; but, in other jurisdictions, such as Connecticut, more specific allegations and proof of third party access may be necessary to establish that a “publication” of private data occurred that would to trigger a CGL policy’s coverage for invasion of privacy. Nevertheless, the outcome in Portal Healthcare does show that in appropriate circumstances and in some jurisdictions, CGL policies can provide cyber liability protections when private data is hacked or errors by the data custodian result in the public posting of unsecured, private data on the internet.
Caroline W. Spangenberg
Edmund M. Kneisel
While we are pleased to have you contact us by telephone, surface mail, electronic mail, or by facsimile transmission, contacting Kilpatrick Townsend & Stockton LLP or any of its attorneys does not create an attorney-client relationship. The formation of an attorney-client relationship requires consideration of multiple factors, including possible conflicts of interest. An attorney-client relationship is formed only when both you and the Firm have agreed to proceed with a defined engagement.
DO NOT CONVEY TO US ANY INFORMATION YOU REGARD AS CONFIDENTIAL UNTIL A FORMAL CLIENT-ATTORNEY RELATIONSHIP HAS BEEN ESTABLISHED.
If you do convey information, you recognize that we may review and disclose the information, and you agree that even if you regard the information as highly confidential and even if it is transmitted in a good faith effort to retain us, such a review does not preclude us from representing another client directly adverse to you, even in a matter where that information could be used against you.