On April 11, 2016, the Fourth Circuit held that a records storage company was entitled to a defense under its CGL policy for a class action lawsuit claiming that the company failed to safeguard confidential medical records. In affirming the decision of the US District Court for the District of Virginia, the Fourth Circuit commended the District Court for its thorough and sound legal analysis and agreed that the class action complaint fell at least partially within the relevant CGL Policies’ coverage grants. In affirming the District Court’s decision, the Fourth Circuit reinforced a pathway for policyholders to obtain coverage for Data Breach events under a CGL Policy.
The District Court’s decision, which can be found here, highlights the breadth of the duty to defend and its application to the CGL Policies involved in the dispute. The policies at issue required Travelers to pay sums Portal becomes legally obligated to pay as damages because of injury arising from a publication that gives “unreasonable publicity” to, or “discloses” information about, a person’s private life. The District Court held that allegations of exposing material to the online searching of an individual’s name constitutes a “publication” under the plain meaning of the term and that allegations of posting confidential medical records online without security restriction constitutes a disclosure of confidential information. As a result, Travelers was required to defend Portal in the class action pending against it.
Although this is a positive result for policyholders, the insurance industry has been increasingly incorporating exclusions designed to eliminate the arguments for coverage made by Portal in this case. Thus, this case is most valuable for legacy policies and as an illustration of how the CGL policy can provide overlapping coverage with other, risk specific coverages.