Think You Have Insurance Against Claims for Disclosure of Confidential Information? You May Want to Check Again

Are you relying on your insurance policy to cover unauthorized or unintended electronic disclosure of confidential information?  If so, you may want to take a closer look at your policy with an eye towards objections to coverage raised by an insurance company in a recent Fourth Circuit case.

In Travelers Indemnity Co. of America v. Portal Healthcare Solutions LLC, the Fourth Circuit Court of Appeals affirmed the Eastern District of Virginia’s decision requiring the insurance company defend its insured against improper disclosure claims.¹  The case arose after a class-action lawsuit was filed in New York against the insured alleging failure to adequately safeguard confidential medical records.  According to the pleadings, patients of the hospital found their medical records available on the Internet upon Google searches of their names.  Portal Healthcare and Travelers disagreed over whether the insurance policies obligated Travelers to defend the class-action and filed cross-motions for summary judgment in the Eastern District of Virginia.

According to the Eastern District decision, the insurance policies covered “electronic publication of material that . . . gives unreasonable publicity to a person’s private life” or “discloses information about a person’s private life.”  Given that the insured stored confidential medical records, it doesn’t seem unreasonable that the insured would have thought it had coverage for data disclosure types of claims.  However, the insurance company took the position that defense of the insured was not required.

As grounds for not defending against the class action suit, Travelers asserted that there could be no publication as required under the policy because “the entire purpose of the services [the insured] provided was to keep the medical records private and confidential.”  According to the insurance company’s argument, the fact that the records ended up available on the Internet did not mean they were published. In a similar vein, the insurance company argued that the policies at issue would only provide coverage if the insured had taken steps intending to attract the public, and further that there was no publication (and therefore no coverage) because no third-party was alleged to have actually viewed the information.

Although Travelers’ arguments were rejected and the Court found defense required, engaging in these types of disputes over policy language has potential for undesirable consequences in the underlying action (e.g., an insured might end up having to argue that there was a publication of confidential information to get insurance coverage, when that might be one of the elements of the very claim against the insured).  The case goes to show how important it is to review your coverages for data disclosure and cybersecurity types of claims, lest you find yourself surprised to fighting two battles instead of one.

¹See Travelers Indemnity Co. of America v. Portal Healthcare Solutions, LLC, Case No. 14-1944 (4th Cir. April 11, 2016) at the District Court, 35 F.Supp.3d 765 (E.D. Va. 2014).