A special to USLAW NETWORK and USLAW DigiKnow

By Karen Painter Randall, Connell Foley LLP, Roseland, New Jersey

A blow to insurers implementing the commercial general liability (CGL) policy, the federal appeals court in Virginia found coverage for a data breach under a CGL policy when private patient records were found online. Portal Healthcare Solutions, a firm with its principal office in Virginia, was sued by two individuals when they found that they were able to find their medical records from their stay at Glen Falls Hospital in New York hospital during their stay when they searched for their names on Google. The plaintiffs eventually filed a class action against Portal for not safeguarding the plaintiffs’ record in connection with their employment by Glen Falls Hospital in New York.

Traveler’s policy stated that they were only obligated to pay Portal if it became legally obligated to pay damages due to an advertising or website injury arising from the “electronic publication of material that… gives unreasonable publicity to a person’s private life” (the language found in the 2012 policy) or (2) the “electronic publication of material that… discloses information about a person’s private life.” The district and circuit court both agreed that the insurance coverage applied, finding that it exposed the plaintiffs to “publication” from online search and constituted “unreasonable publicity.” Additionally, the court was also not persuaded by Traveler’s argument that there was no actionable personal injury because the records were not released intentionally nor viewed by a third party, finding that personal injury does not hinge on third party access.

The Fourth Circuit ruling is at odds with two state court rulings, one in Connecticut in 2015 and another seminal case in New York in 2014. The New York court found that Zurich American Insurance Co. had no duty to defend Sony Corp. of America and Sony Computer Entertainment America in litigation that stemmed from the hacking of Sony Corp.’s PlayStation online services. The New York court ruled that acts by third-party hackers do not constitute “oral or written publication in any manner of the material that violates a person’s right of privacy” in the personal and advertising injury coverage under the CGL policy issued by Zurich.

The Fourth Circuit ruling reflects the growing prevalence and nature of evolving cyber risk for businesses and the need to clarify the insurance industry’s role and responsibility in insuring against it. While the courts have made an effort to decipher the CGL’s coverage, other insurers have begun to offer standalone cyber policies and endorsements to cover the gap in cyber coverage. The growing frequency of cyber attack and data breach will continue to force the cyber insurance industry to evolve and contemplate its liability under the CGL and its policies.