Savvy in-house counsel and business owners often ask are whether the insurers selling cyber policies actually pay claims or whether the policyholders are just buying the right to later sue the insurers for coverage. The initial wave of cyber insurance litigation involved policyholders trying to obtain coverage for data breaches under their standard commercial general liability policies. This produced mixed results with some courts finding coverage, while others did not. The next wave of cyber insurance litigation involved policyholders asserting claims under specialized cyber policies, which had better results for the policyholders. The Travelers v. Portal Healthcare Solutions, LLC case falls into the latter category.
The Facts in Travelers v. Portal Healthcare Solutions, LLC
Glen Falls Hospital entered into a contract with Portal to electronically store confidential medical records. Portal then contracted with Carpathia Hosting, Inc. to provide hosting services for the records. The records of 2,300 patients were loaded onto the website. When two patients did a Google search on their name, they were taken to the website. From there, they were able to retrieve their personal information, including past and current medical treatment, medications, social history, physical examination, laboratory data, and future treatment plans, without having to undergo any security questions.
Two class actions lawsuits were filed against Portal alleging that for a period of four months, patient medical records were accessible on the internet to anyone without any security restrictions through a server operated by Portal and hosted by Carpathia. When Portal sought coverage for the class actions, Travelers denied its duty to defend Portal against the claims and filed its own lawsuit against Portal seeking a declaration of no coverage.
Travelers’ Web Xtend Liability Policy
Portal purchased a Travelers’ Web Xtend Liability endorsement to its commercial general liability policy. The insuring agreement of the endorsement stated that Travelers will defend the insured and “pay those sums that the insured (Portal) becomes legally obligated to pay as damages because of “personal injury”, “advertising injury”, or “web site injury” to which this insurance applies.” The policy defined “advertising injury” as arising out of the “electronic publication of material that … gives unreasonable publicity to a person’s private life.” The policy defined “personal injury” defined as injury arising out of the “electronic publication of material that … discloses information about a person’s private life.”
The District Court’s Ruling
Travelers filed a motion for summary judgment and argued that the allegations in the class action complaint merely alleged that the two plaintiffs saw their own medical records, but there were no allegations that anyone else saw the records. Travelers reasoned that absent some evidence that a third party saw the records, there was no covered “publication.”
The Federal District Court for the Eastern District of Virginia applying Virginia law and the 8-corners rule rejected Travelers’ arguments. That is, looking at the four-corners of the complaints and the four-corners of the policy, the Court held that Travelers’ duty to defend Portal had been triggered because publication occurred when the confidential information was “placed before the public,” and not when a member of the public read the information placed before it. The Court stated:
By Travelers’ logic, a book that is bound and placed on the shelves of Barnes & Nobel is not “published” until a customer takes the book off the shelf and reads it. Travelers’ understanding of the term “publication” does not comport with the term’s plain meaning, and the medical records were published the moment they became accessible to the public via an online search… the information was posted on the internet and thus, was given not just to a single thief but to anyone with a computer and internet access.
The Fourth Circuit’s Ruling
Travelers appealed the Court’s decision, which was affirmed by the Fourth Circuit Court of Appeals. The Fourth Circuit commended the trial court’s sound legal analysis and held that “Travelers’s efforts to parse alternative dictionary definitions do not absolve it of the duty to defend Portal.” Travelers Indem. Co. of Amer. v. Portal Healthcare Solutions, Inc., Case No. 14-1944 (4th Cir. April 11, 2016).
From a policyholder perspective, make sure you ask your broker and your lawyer about the claim history of the insurer before you buy a particular policy. Is the insurer generally known for paying claims or are you just buying the right to file a lawsuit for coverage? We wrote about CNA’s NetProtect 360 policy in a prior post that is also a cautionary case worth reading. In addition, in 2015, Travelers filed, and later settled, a subrogation lawsuit (standing in the shoes of the policyholder) against Ignition Studio, Inc., a website designer, following a data breach at an Illinois bank where the website designer failed to incorporate reasonable security into the bank’s new website. Following a data breach, Travelers paid the claim and then sued the website designer to recoup the damages it paid. The bank’s claim was under a cyber-insurance policy rather than the type of endorsement at issue in Portal’s case.
Policyholders also want to be cautious when entering into contracts with vendors for electronic records storage. First, try not to limit your damages to the price paid for the vendor’s services. The vendor’s fee will likely be dwarfed by the cost to respond to a data breach and defend and possibly settle a lawsuit.
Second, negotiate the right to pursue damages against the vendor’s professional liability insurer. Make sure the vendor’s insurance will cover the potential loss and expenses, is adequate in amount, and stays in force during the term of the contract.
Buyer beware remains the appropriate adage.