The Fourth Circuit just affirmed a Virginia district court ruling that Travelers Indemnity Company of America had a duty to defend a class action brought against Portal Healthcare Solutions, LLC under a cyber liability insurance policy providing coverage for the electronic publication of certain materials. The breach allegation of the class action claim in Travelers Indem. Co. of America v. Portal Healthcare Solutions, LLC was that due to a security failure, the wrong security setting was selected on a web access portal allowing normal search engines to scoop up not only the login page as a search result, but also the underlying sub-pages containing medical records. Members of Portal Healthcare used the web access portal to not only log into their account, but also click to review their medical records.

The Fourth Circuit held that the Eastern District Court of Virginia correctly analyzed the matter under the “Eight Corners” rule where the court must look first to the four corners of the contract (i.e. the insurance policy) and then the four corners of the complaint. The policy provided coverage for “publication” of electronic materials which give “unreasonable publicity” to or “disclose” information about an individual’s private life. Travelers argued both that there could not be “publication” when the insured’s business was the protection of information and that no third party actually viewed the information. The court determined in the first instance that publication does not refer to intent (whether intentionally or unintentionally disclosed) so that argument was rejected. As to the second element, the court noted that publication occurs when placed “before the public,” without reference to whether the public actually reads the information. Under the second requirement for coverage, Travelers argued that “publicity” requires a pro-active step to “attract” interest and “disclosure” requires a third party to actually view. The court held that publicity was unreasonable due to the nature of the sensitive information contained in the medical records and there was no requirement that the insured took overt action to attract attention to the information. As to the “disclosure” argument, the court held that disclosure occurred when the possibility of viewing by a third party happened, not when or if a third party actually viewed the information.

The case is a reminder that insureds need to read their policies in detail to ensure they understand what is or is not covered. It is also a reminder that even if coverage exists, failing to follow good security standards of review and oversight in establishing web access to confidential or sensitive information can lead to inadvertent breaches and the risk of significant damages.

To speak with Katheryn Andresen about the implications of the Fourth Circuit’s decision, contact her at kandresen@nilanjohnson.com or call 612.305.7730.