Fourth Circuit Requires CGL Carrier To Defend Cyber Liability Class Action
On April 11, the 4th Circuit Court of Appeals issued an unpublished opinion upholding the ruling of a Virginia federal district court requiring Travelers to defend a cyber liability class action under a commercial general liability policy. The class action alleges that Travelers’ insured, Portal Healthcare Solutions, LLC, allowed private medical records to be accessible on the internet in an unsecured manner. Portal set up an internet based system to maintain a hospital’s medical records. The class plaintiffs alleged that they were able to access their own medical records on that system without any security screen or password requirement. Travelers had two comprehensive liability policies at issue. One provided coverage for damages resulting from “the electronic publication of material that . . . gives unreasonable publicity to a person’s private life,” and the other for damages caused by “the electronic publication of material that . . . discloses information about a person’s private life.”
Travelers argued that the class action failed to allege facts establishing any “publication,” where its insured Portal intended its internet records retention system to be for the purpose of keeping medical records confidential. Travelers further argued the class action alleged no “publication” because there was no allegation that any medical records actually had been seen by any third person. The Fourth Circuit affirmed the district court’s rejection of both of these arguments, and its resultant holding that designing the system in a manner that allowed third party access, even if inadvertent, satisfied the term “publication” as a matter of law.
Because the Fourth Circuit issued its opinion as unpublished, it has no binding precedential value, but nonetheless establishes that there are potential avenues of establishing coverage and/or a duty to defend under a traditional comprehensive general liability policy, for claims of cyber liability.