July.15.2016

Cyber liability & CGL Part B coverage – uncertainty reigns

In April this year, an Appellate court upheld a U.S. District Court decision handed down in August 2014 in finding an insurer had a duty to defend under a CGL policy in a data breach case. While the policy wording may not be common, the decision considers a number of aspects of “publication”, likely to have wider application to Part B coverage in Canada. Unfortunately the decision does nothing to settle the law in this area.

In Travelers Indemnity Company of America v. Portal Healthcare Solutions LLC[1], at issue was whether Travelers had a duty to defend Portal against class action allegations that Portal posted confidential medical records on the internet, making the records available to anyone who searched for a patient’s name and clicked on the first result. Both parties brought motions for Summary Judgment. The Court denied Travelers’ motion for a declaration that it did not owe a duty to defend and granted Portal’s motion; holding that it was owed a defence in the class action. This was upheld on appeal in very brief reasons. This note therefore considers the first instance judgment.

Travelers issued two policies to Portal covering the electronic publication of certain materials. Each had substantially identical wording for the provision at issue. The first policy offered coverage for sums Portal became legally obligated to pay as damages because of injury arising from the “electronic publication of material that … gives unreasonable publicity to a person’s private life“; the second policy, from the “electronic publication of material that … discloses information about a person’s private life“. (our emphasis)

Portal contracted with Glen Falls Hospital for the electronic storage and maintenance of its patients’ confidential medical records. Two patients discovered that when they conducted a “Google” search of their respective names, the top of the search page was a direct link to their respective Glen Falls medical records. It was determined that for a period of roughly 4 months, the records of Glen Falls patients (around 2,300 of them) had been hosted on an unprotected server and susceptible to attack. A class action followed for damages alleging negligence, breach of warranty and breach of contract against Glen Falls Hospital, Portal, and another.

Portal asserted that Travelers had a duty to defend it in the class action under what appears to be a CGL policy. The court agreed, recording that an insurer has a duty to defend an insured so long as the complaint alleges grounds for liability “potentially or arguably covered by the policy”.   It held that exposing confidential medical records to public online searching placed highly sensitive, personal information before the public, and this conduct fell within the Policies’ coverage for “publication” giving “unreasonable publicity” to, or “disclos[ing] information about, … a person’s private life”.

Publication”:

In its analysis, the court first considered whether there had been publication of material. It held that making the records publicly accessible via an internet search fell within the meaning of “publication” of electronic material. The term was not defined in the policy, and so the parties relied on various dictionary definitions. In adopting a definition requiring the records to be “placed before the public..”, the court held that exposing medical records to the online searching of a patient’s name, followed by a click on the first result, at least “potentially or arguably” (i.e. in considering whether there was a duty to defend) placed those records before the public.

The court rejected Travelers argument that the publication had to be intentional on the part of the insured. It also rejected the argument that there was no “publication” where there was no allegation any third party had viewed the records, holding that “Publication occurs when information is “placed before the public,” not when a member of the public reads the information placed before it

The court was referred to, and distinguished Recall Total Info. Mgmt. Inc. v. Fed. Ins. Co[2] in the basis that, while in that case the tapes (containing the data) were taken by an unknown person and never recovered, here “the information was posted on the internet and thus, was given not just to a single thief but to anyone with a computer and internet access.

We note the following.

First, the finding that placing material on the internet in a retrievable form amounts to “publication” as that term is commonly understood, would seem to be in line with prior Canadian authority. In Reform Party of Canada v Western Union Insurance Company[3] it was held that posting on the internet met the definition of “publication”. The Court noted that dictionary definitions of “publish” and “broadcast” required activity that is accessible and available to the public. There were 738 ‘hits’ to the website, although the court commented that the number of hits was not relevant; the fact the audience was not restricted, was.

Second, in rejecting the argument that the publication must be intentional, the decision appears, at first blush, to be at odds with that in Zurich America Insurance Co. v Sony Corp. of America,[4] where it was held that publication (there by hackers) did not fall within coverage as it had to be “by or on behalf of [the Insured]”.  However, the decisions seem distinguishable on their facts. In Zurich, the analysis focused on who the publisher was. In Portal there was no such focus, as the underlying claim appears to have assumed that the publication (i.e. to the internet) was by or on behalf of Portal (and due to its alleged negligence), rather than hackers breaching the servers & placing the material on the internet.

Third, we suggest that Recall Total is distinguishable on its facts, but not for the reasons given in the judgment. In that case, the evidence was that the data on the stolen tapes was encrypted, and there was no suggestion that it had actually been accessed (much less posted on the internet). Thus applying the definition of publication used by the court in Portal, there was no evidence that the information had been “placed before the public.”

However, Portal is at odds with Recall Total, in the definition of “publication” adopted. Specifically, in Recall Total, the court adopted a definition requiring “communication … to the public.” On this basis, there was no publication in that case (to the thief or any other). If that definition had been applied by the court in Portal, arguably there would have been no publication, as while the information was obtainable through a “Google” search, the only evidence of the information being communicated was to the individual patient subjects of those records. In Portal the court implicitly rejects a definition requiring communication: Travelers’ had argued that there was no publication because no third party was alleged to have viewed the information. In rejecting this submission, the court held

By Travelers’ logic, a book that is bound and placed on the shelves of Barnes & Noble is not “published” until a customer takes the book off the shelf and reads it. Travelers’ understanding of the term “publication” does not comport with the term’s plain meaning…[5]

It is to be noted that the appeal decision in Recall Total came after the first instance decision in Portal, but makes no mention of that case. Similarly, the appeal decision in Portal came after the appeal in Recall Total, but makes no mention of it.

“Unreasonable publicity”:

Unlike the IBC wording, which (only) requires “Oral or written publication, in any manner, of material that violates a person’s right of privacy”, the first of the two Travelers policies required “unreasonable publicity”. However it does not appear that much turned on this distinction, given the nature of the electronic material that was at issue.

 

“Disclose”:

Finally, Travelers sought to distinguish between “publication” & “disclosure”, arguing that Portal’s conduct did not “disclose” patients’ private lives because the patients in the class action suit only viewed their own records and (of course) the patients already had knowledge of those. However, the court adopted an identical meaning of disclosure to publication in holding;

under the plain meaning of “disclosure,” the records were disclosed the moment they were posted publicly online, regardless of whether a third party viewed them”.[6]

The judgment goes on to recite that “Travelers’ own definition of “disclosure” refers to the “[t]he act or process of making known something that was previously unknown.”” It is not clear from the citation whether this definition is from either policy, or from submissions. However, if the former, there would appear a strong argument that the allegations in the underlying claim did not meet the definition of “disclosure”. The court held:

What Portal did by posting the records was engage in the process of making previously unknown records suddenly known to the public at large.”[7]

In so doing, it appears to have taken somewhat of a leap of logic in assuming the records had actually “been made known” – i.e. to someone.

The affirmation of the first instance judgment in this case (in concert with the absence of an appeal judgment in Zurich v Sony, and the appeal in Recall Total), certainly does not settle the law in this area. No doubt there will continue to be claims made under CGL polices for cyber-related losses, and further judicial consideration of whether and in what way the decisions in these 3 cases should be interpreted when a court is faced with a similar, but different fact pattern.

[1] United States District Court, E.D. Virginia, Alexandria Division [35 F.Supp.3d 765 (2104)];

aff’d; United States Court of Appeals, 4th Circuit (No 14-1944)

[2] 147 Conn.App. 450, 83 A.3d 664 (2013); appeal dismissed May 2015; https://www.jud.ct.gov/external/supapp/Cases/AROcr/CR317/317CR54.pdf

[3] [1999] BCJ No. 2794 (reversed on other grounds; [2001] BCJ No. 697 (BCCA))

[4] NY State Supreme Court, Mar. 3, 2014

[5] Note 1, at p771

[6] Note 1 at p772

[7] Ibid

 

Download as PDF

Adam Howden-Duke