A federal court of appeals held that general insurance policies cover a data breach class action in a case that is highly likely to impact how courts throughout the country resolve insurance claims related to cyberattacks and policy renewal negotiations.
On April 11, 2016, the United States Court of Appeals for the Fourth Circuit upheld a trial court’s finding that Travelers Indemnity Company of America is required to defend Portal Healthcare Solutions, LLC in a class action filed in New York. In the original case, two plaintiffs filed a class action alleging that Portal failed to safeguard their confidential medical records when they were made publicly accessible on the internet. Travelers filed a separate action seeking a declaratory judgment that it was not required to defend Portal. Travelers argued that the class representatives had not alleged that Portal had “published,” given “undue publicity,” or “disclosed” the plaintiffs’ information to any third party, to trigger coverage under the policies.
Applying Virginia law, the trial court disagreed, finding that it was required to follow the “Eight Corners Rule” by looking to the four corners of the class action complaint to determine whether it alleged grounds for liability “potentially or arguably covered” by the four corners of the insurance policies. The trial court concluded that since the policies did not define the operative terms “publication,” “unreasonable publicity,” or “disclose,” those terms would be given their plain and ordinary meaning. Citing common dictionaries, the court found that the tort alleged in the class action – i.e., exposing the plaintiffs’ medical records online – constituted publication, unreasonable publicity, and disclosure of the medical records even if the only individuals who actually saw the records were the plaintiffs. Thus, the court concluded, Travelers was required to provide a defense to Portal.
The Fourth Circuit upheld the trial court’s ruling, holding that the trial court correctly applied the Eight Corners Rule, particularly because “under Virginia law, an insurer’s duty to defend an insured is broader than its obligation to pay or indemnify an insured” and that “the insurer must use language clear enough to avoid ambiguity if there are particular types of coverage that it does not want to provide.”
Although the Fourth Circuit was interpreting Virginia law, most jurisdictions throughout the United States – including Utah – apply the Eight Corners Rule and, even where the rule is articulated differently, as in Colorado, courts universally hold that insurance companies have a broad duty to defend.
The ruling has significant implications for claims under existing or prior policies. First, companies that are or have been the target of cyberattacks likely have a strong claim that their existing general insurance policies cover any ensuing litigation related to the cyberattacks. Because a company may not discover that it was the target of a cyberattack until months or years afterwards, insurance companies will likely have to cover significant claims covered by current or prior policies for years to come.
Second, companies should pay close attention to the definitions and exclusions proposed by their insurance companies during negotiation of their policy renewals. As most policies are annual, insurance companies are likely to carefully define the exclusions to heed the Fourth Circuit’s admonition that they must clearly identify the types of data disclosures they intend to exclude from coverage. Given the increased frequency of cyberattacks, companies should bargain equally as hard for protection under their policies in the event they become the next victim of a data breach.
Holland and Hart’s cybersecurity and data privacy attorneys have significant experience helping clients prepare for and respond to cyberattacks. They also work closely with the firm’s insurance coverage attorneys, Michael Carrigan, Joe Ramirez, and Catherine Crane, to understand and negotiate policies that may or may not include cyber-risk insurance. Contact Romaine Marshall or Engels Tejeda if you would like more information.
The case is Travelers Indemnity Co. of America vs. Portal Healthcare Solutions, L.L.C., Case No. 14-1944 (4th Cir. April 11, 2016).
This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author(s). This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.