Written by Beth Gould, Esq.
Companies increasingly face competing demands and challenges associated with the desire to provide convenient online spaces for their clients to conduct business while also ensuring those spaces are safe from data breaches. We are all familiar with, and seem to constantly hear about, data breaches due to intentional hacking by third parties who seek access to companies’ websites and other online databases in order to steal consumers’ information. However, there are also more passive data breaches which can occur due to a company failing to fully secure an online space. In the latter case, rather than a third party actively seeking entry into a companies’ online consumer information, a company may inadvertently fail to shore up a vulnerability in an online space it provides to its consumers, potentially leaving consumer information available to the public. Both types of data breach are risks which an insurer may consider insuring or may wish to forego insuring. If an insurer wishes to forego covering either, or both, sort of data breach, it must clearly address that when drafting its policy. The United States Court of Appeals for the Fourth Circuit recently considered a case involving a passive sort of data breach, affirming in an unpublished opinion that under the applicable insurance policies, a healthcare recordkeeping company must be accorded a defense by its insurer against claims by consumers that the company had made consumers’ private healthcare information accessible online to the general public.
On April 11, 2016, the Fourth Circuit Court of Appeals ruled on an appeal by the plaintiff in the declaratory judgment action, Travelers Indemnity Company of America v. Portal Healthcare Solutions, LLC, of a ruling regarding summary judgment at the district court level. The Fourth Circuit issued an unpublished opinion affirming the district court’s grant of summary judgment to the defendant and denying summary judgment to the plaintiff, and directing Travelers Indemnity Company of America (“Travelers”) to defend its insured, Portal Healthcare Solutions, LLC (“Portal”), in a class action claim pending in New York state court. The underlying class action lawsuit involves a claim that Portal failed to safeguard confidential medical records, causing them to become publicly accessible.
It should be noted that, because the opinion rendered by the Fourth Circuit is an unpublished opinion, it is not binding precedent in the Fourth Circuit. However, the district court’s decision which was affirmed was rendered in the United States District Court for the Eastern District of Virginia and is binding there. Both Virginia state courts and the United States District Court for the Western District of Virginia afford significant (though not binding) weight to decisions rendered by the Eastern District of Virginia. Further, this opinion may help to show the Fourth Circuit’s inclinations with regard to the issues presented, in spite of it not being binding precedent in the circuit.
Portal is a business which specializes in the electronic safekeeping of medical records for medical care providers, including hospitals and clinics. During the time of the alleged data breach (November 2, 2012 to March 14, 2013), Portal was insured by two successive policies issued by Travelers which covered the electronic publication of certain materials. The two policies are substantially identical and obligate Travelers to pay amounts Portal is legally obligated to pay as damages arising from the “electronic publication of material that . . . gives unreasonable publicity to a person’s life” or the “electronic publication of material that . . . discloses information about a person’s private life.” Portal was contracted by Glen Falls Hospital to electronically store its patients’ confidential medical records. Portal and/or Glen Falls Hospital then contracted with Carpathia Hosting, Inc. to host the records on an electronic server. The underlying class action suit alleges that, between November 2, 2012 and March 14, 2013, Portal allowed patients’ confidential medical records to be accessible from the Internet by unauthorized persons.
In determining whether Travelers had a duty to defend Portal, the district court looked to the “Eight Corners” Rule. This requires the court to assess whether a duty to defend exists by looking at the “four corners” (i.e. the actual text of the document) of the underlying complaint and the “four corners” of the underlying insurance policy. In Virginia, an insurer’s duty to defend is broader than its obligation to pay or indemnify an insured. The duty to defend is owed as long as the complaint alleges grounds for liability potentially or arguably covered by the policy. If there is uncertainty about whether the duty to defend exists in a particular case, policy language is construed in favor of the insured. In analyzing whether the duty to defend exists in a particular case, using the Eight Corners Rule, a court will compare what was alleged by the plaintiff in the complaint with the language of the insurance policy, giving the benefit of any ambiguities in the insurance policy to the insured.
In utilizing the Eight Corners Rule, the district court determined that there were two prerequisites to coverage in the underlying case. First, the relevant policies required publication of material. The court found that, though the class action plaintiffs did not allege their records had been viewed by any third party, because they were available on the Internet for anyone to view, they had been published in the ordinary sense of the term. Next, the court considered whether the published material gave unreasonable publicity to, or disclosed information about, a person’s private life. The court found that the public availability of the class action plaintiffs’ confidential medical records sufficed to give unreasonable publicity to those plaintiffs’ private information and disclosed information about those plaintiffs’ private lives. Thus, the court found that the underlying class action complaint alleged facts and circumstances which are potentially or arguably covered by the underlying policies.
Citing Virginia law, the district court noted, in what may be taken by insurers as a word of caution, that it is an insurer’s responsibility to use language which is sufficiently clear and unambiguous if there are certain types of coverage the insurer does not wish to provide. It seems likely that insurers will increasingly offer insurance to businesses or other entities which operate online portals and other online spaces which are vulnerable to both active attack and more passive, inadvertent data breaches. Therefore, any insurer wishing to safeguard itself from the duty to defend or afford coverage for certain types of online loss must carefully draft its policies to allow for coverage only in those circumstances which the insurer is fully prepared to cover.