Can an inadvertent Internet posting of a patient’s medical information trigger insurance coverage for liability stemming from a data-breach class action? The Fourth Circuit held last week that it can, and it added to the growing body of case law construing what “publication” means in the context of whether class liability is covered by commercial insurance policies.
We’ve written before about two of the hot corners of the class action arena, data breaches and Telephone Consumer Protection Act claims, in which much of the recent litigation has turned on the extent to which a plaintiff can establish or has established standing. But recent cases, including last week’s Fourth Circuit opinion in Travelers Indem. Co. of America v. Portal Healthcare Solutions, L.L.C., —Fed. Appx.—, 2016 WL 1399517 (4th Cir. 2016), reflect the burgeoning importance of the subsidiary insurance coverage issue.
In Portal Healthcare, the Fourth Circuit affirmed a district court ruling that a data breach constituted a covered claim and therefore required the carrier to defend Portal in the underlying class action brought by medical facility patients. The crux of the coverage dispute was whether Portal’s allegedly inadvertently putting the patients’ medical records on the Internet qualified as publication as defined by the insurance policy. The policy provided coverage for Portal’s liability for injuries related to “electronic publication of material that . . . give unreasonable publicity to a person’s private life.”
The insurance company argued, applying Virginia state law, that the accidental Internet postings could not be publications under the policy because only the actual patients accessed their own information on the Internet after typing their names into a Google search. That is, no third party ever saw the medical information on the Internet. And without publication to a third party—the traditional means of assessing publication in the privacy invasion context—Travelers argued that there could be no publication within the meaning of the policy.
The district court and the Fourth Circuit rejected that argument. The Fourth Circuit panel held that publication occurred, and therefore coverage followed, because Portal allegedly made the private information publicly available on the Internet, regardless of whether a third party actually accessed the information. (Astute readers will also recognize this question is crucial to the standing analysis in data breach cases, which holds that “mere loss of data” is insufficient to establish standing.)
The result is similar to the majority of Telephone Consumer Protection Act insurance disputes, which, depending on the relevant state law, have held publication to not require disclosure to a third party so long as the call or fax recipient’s right to seclusion is infringed upon in a TCPA violation. Other courts, however, require third-party disclosure for publication to occur. With individual state-by-state laws controlling the coverage dispute—despite the uniformity of the federal claims case by case—divergent results are expected to persist.
With data breach and TCPA litigation at the forefront of class litigation, companies that are vulnerable to such claims should consider reviewing their insurance coverage.