Add to collection(s) Add to saved
  1. Social Science
  2. Psychology
  3. Social Psychology

5 Policyholder Takeaways From Portal

advertisement 
May 2, 2016
Practice Groups:
5 Policyholder Takeaways From Portal
Insurance Coverage and Cyber Law and Cyber Security Alert
Insurance Coverage
By Roberta D. Anderson
Cyber Law and Cyber
Security
In a solid victory for policyholders, the Fourth Circuit upheld coverage last week for a
potential data breach incident involving confidential medical records. The case is The
Travelers Indemnity Co. of America v. Portal Healthcare Solutions, L.L.C., 1 and involved
coverage under two commercial general liability (CGL) insurance policies.
This article was first
published by Advisen
on May 2, 2016
Significantly, and in contrast to the Recall Total case that was widely reported and debated
last year, 2 the Fourth Circuit in Portal Healthcare confirmed that a covered “publication” of
records can exist even if the records at issue are not actually accessed by any third party.
Rather, the Fourth Circuit confirmed that “publication” is satisfied for purposes of CGL
coverage if the records are merely accessible. Likewise, in contrast to the New York trial
court’s decision in the Sony PlayStation data breach insurance coverage litigation, 3 the
Fourth Circuit outright rejected the insurer’s argument that CGL coverage requires “intent” to
publish the information, finding unintentional publication sufficient.
Portal Healthcare provides insureds another arrow in the coverage quiver, serving as an
important reminder that actual and potential data breaches may be covered under CGL and
other traditional policies.
Here we offer a brief summary of the Portal Healthcare facts and holding—and 5 key
takeaways.
Portal Facts And Holding
The insured in Portal Healthcare, Portal Healthcare Solutions, L.L.C., specializes in the
electronic safekeeping of medical records for hospitals, clinics, and other medical providers. 4
At issue in Portal Healthcare was whether Portal’s CGL insurer, Travelers, had a duty to
defend Portal against class-action allegations that Portal failed to safeguard confidential
medical records by posting those records on the internet and making them available to
anyone who searched for a patient’s name and clicked on the first result. 5
On cross motions for summary judgement in the insurance coverage litigation, the federal
district court held that the posting of medical records was an electronic “publication,” and
therefore covered under Portal’s CGL policies.6 Significantly, the court rejected Travelers’
argument that there was no covered “publication” because no third party was alleged to have
viewed the information.7 Rather, applying established rules of insurance policy construction,
the district court found that the undefined term “publication” required only that the records be
“placed before the public” 8 and it therefore was not relevant whether or not the records were
accessed by a third party. Drawing analogy to a book placed on a Barnes & Noble shelf, the
court noted that Travelers’ argument was contrary to the plain meaning of “publication”:
By Travelers’ logic, a book that is bound and placed on the shelves of Barnes &
Noble is not “published” until a customer takes the book off the shelf and reads it.
Travelers’ understanding of the term “publication” does not comport with the term’s
5 Policyholder Takeaways From Portal
plain meaning, and the medical records were published the moment they became
9
accessible to the public via an online search.
In reaching its decision, the district court distinguished the authorities relied upon by
Travelers, including Recall Total, 10 finding that Recall Total was inapposite because, in
contrast to Recall Total, the information in Portal Healthcare “was posted on the internet and
thus, was given not just to a single thief but to anyone with a computer and internet
access.” 11
In addition, and also significantly, the district court rejected Travelers’ proposition that
“publication” requires an intent to publish by the insured, finding that “an unintentional
publication is still a publication.” 12 The court further explained that “the issue cannot be
whether [the insured] intentionally exposed the records to public viewing since the definition
of ‘publication’ does not hinge on the would-be publisher’s intent. Rather, it hinges on
whether the information was placed before the public.” 13
The district court concluded that “the facts and circumstances alleged in the class-action
complaint at least ‘potentially or arguably’ constitute a ‘publication’….” 14
The Fourth Circuit affirmed, commending the district court’s “sound legal analysis” and
confirming that “Travelers has a duty to defend Portal against the class-action complaint.” 15
The Takeaways
Portal Healthcare offers five key takeaways:
1. Remember “traditional” policies. Portal Healthcare illustrates that there may be
valuable data breach coverage under CGL and other traditional insurance policies—even
in the absence of an actual breach of information. 16 This is important for organizations to
remember because, while a growing number of organizations purchase specialty “cyber”
and technology errors and omissions (E&O) policies, which are specifically designed to
afford coverage for data breaches and other cybersecurity and data privacy-related risks,
most organizations also have various forms of traditional insurance policies that may
cover various types of cyber and privacy risks, including CGL, D&O, professional liability,
property, and commercial crime policies, among others. In many circumstances there
may be overlapping coverage under a number of the organization’s specialty and
traditional insurance coverage.
2. Identify potential coverage—and potential coverage gaps—before a breach
incident. Organizations are advised to carefully consider potential coverage across their
entire insurance portfolio in advance of a potential breach event and undertake a “gap”
analysis. While there may be valuable coverage under an organization’s CGL and other
“traditional” insurance policies, insurers have made it abundantly clear that they do not
want to cover “cyber” and various privacy-related exposures, including data breach, under
traditional policies. For this reason, insureds should be aware that they may face costly
insurance litigation to secure coverage—even where there is a good argument in favor of
coverage. Likewise, in response to decisions upholding coverage for data breaches and
other privacy-related exposures, the insurance industry has added various limitations and
exclusions in recent years, which seek to cut off the “traditional” lines of coverage. Most
recently, ISO filed a number of data breach exclusionary endorsements for use with its
standard-form primary, excess and umbrella CGL policies. These became effective in
2
5 Policyholder Takeaways From Portal
May 2014. 17 Although the full reach of the new exclusions ultimately will be determined
by judicial review, from an enterprise risk management perspective, the newer exclusions
provide another reason for companies to carefully consider specialty “cyber” insurance
products.18
3. Carefully Consider—and negotiate—appropriate specialized coverage. “Cyber” and
technology E&O insurance coverage can be extremely valuable, 19 but choosing the right
insurance product presents real and significant challenges. There is a diverse and
growing array of cyber products in the marketplace, each with its own insurer-drafted
terms and conditions that vary dramatically from insurer to insurer—and even between
policies underwritten by the same insurer. In addition, the specific needs of different
industry sectors, and different companies within those sectors, are far-reaching and
diverse. Although placing coverage in this dynamic space presents challenges, it also
presents substantial opportunities. “Cyber” and technology E&O insurance policies are
negotiable, and the terms of the insurer’s off-the-shelf policy forms can often be
significantly enhanced and customized to respond to the insured’s particular
circumstances. Frequently, very significant enhancements can be achieved for no
increase in premium. It is important to identify the right cyber insurance product and then
negotiate the coverage terms so that they reflect the reality of risk and the organization’s
potential particular risk profile and exposure.
4. Don’t take “no” for an answer. Unfortunately, even where there is a legitimate claim for
coverage, an insurer may deny an insured’s claim. Indeed, insurers can be expected to
argue, as Portal’s insurers argued, that data breaches are not covered under CGL
insurance policies. In addition, disputes are now arising under newer specialty “cyber”
and technology E&O policies.20 Nevertheless, insureds that refuse to take “no” for an
answer may be able to secure valuable coverage if they effectively pursue their claim.21
5. Maximize coverage across the entire insurance portfolio. Various types of insurance
policies may be triggered by a data breach incident, and those various triggered policies
may carry different insurance limits, deductibles, retentions, and other self-insurance
features, together with various different and potentially conflicting provisions addressing,
for example, other insurance, erosion of self-insurance, and stacking of limits. For this
reason, in addition to considering the scope of substantive coverage under an
organization’s various insurance policies, it is important for the organization to carefully
consider the best strategy for pursing coverage in a manner that will most effectively and
efficiently maximize the potentially available coverage across the insured’s entire
insurance portfolio. By way of example, if there is potentially overlapping CGL and
“cyber” insurance coverage, an organization should keep in mind considerations such as
the fact that defense costs often do not erode CGL policy limits. Armed with the
appropriate facts, the organization can structure the coverage strategy accordingly.
*
*
*
*
*
Portal Healthcare serves as an important reminder that, when facing a data breach event,
and before an event occurs, organizations should carefully consider the insurance coverage
that may be available to respond to a breach event and the most efficient ways to maximize
coverage.
3
5 Policyholder Takeaways From Portal
Author:
Roberta D. Anderson
roberta.anderson@klgates.com
+1.412.355.6222
Anchorage Austin Beijing Berlin Boston Brisbane Brussels Charleston Charlotte Chicago Dallas Doha Dubai Fort Worth Frankfurt
Harrisburg Hong Kong Houston London Los Angeles Melbourne Miami Milan Moscow Newark New York Orange County Palo Alto Paris
Perth Pittsburgh Portland Raleigh Research Triangle Park San Francisco São Paulo Seattle Seoul Shanghai Singapore Spokane
Sydney Taipei Tokyo Warsaw Washington, D.C. Wilmington
K&L Gates comprises more than 2,000 lawyers globally who practice in fully integrated offices located on five
continents. The firm represents leading multinational corporations, growth and middle-market companies, capital
markets participants and entrepreneurs in every major industry group as well as public sector entities, educational
institutions, philanthropic organizations and individuals. For more information about K&L Gates or its locations,
practices and registrations, visit www.klgates.com.
This publication is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in
regard to any particular facts or circumstances without first consulting a lawyer.
© 2016 K&L Gates LLP. All Rights Reserved.
1
--- Fed.Appx. ----, 2016 WL 1399517 (4th Cir. Apr. 11, 2016).
2
Recall Total Info. Mgmt., Inc. v. Federal Ins. Co., 115 A.3d 458 (Conn. 2015).
3
The trial court in Zurich Am. Ins. Co. v. Sony Corp. of Am., et al., No 651982/2011 (Sup. Ct. N.Y.
County) ruled from the bench without a written opinion. The Transcript is cited below at footnote 13.
4
35 F.Supp.3d 765, 767 (2014) (Virginia law).
5
Id. at 768. Two patients in Portal Healthcare discovered that when they conducted a “Google” search of
their respective names, the first link that appeared was a direct link to their respective medical records.
See id.
6
Id. at 771. The two policies at issue in Portal Healthcare covered, respectively, (1) the “electronic
publication of material that ... gives unreasonable publicity to a person’s private life”; and (2) the
“electronic publication of material that ... discloses information about a person’s private life”. Id. at 767.
7
The patients accessed their own records and only alleged that the information was available for view by
a third party. See id. at 770-71.
8
Id. at 770.
9
Id. at 771.
10
Affirming the trial and intermediate appellate courts, the Connecticut Supreme Court in Recall Total
ultimately determined that the “publication” requirement was not satisfied because, as found by the
intermediate appellate court, the plaintiffs “failed to provide a factual basis that the information on the
tapes was ever accessed by anyone.” Recall Total Info. Mgmt., Inc. v. Fed. Ins. Co., 83 A.3d 664, 673
(Conn. Super. Ct. 2014), aff’d 115 A.3d 458, 460 (Conn. 2015) (“Our examination of the record and
briefs and our consideration of the arguments of the parties persuade us that the judgment of the
Appellate Court should be affirmed.”). Significantly, however, the intermediate appellate court in Recall
Total noted that there was nothing in the record in that case to suggest that “the unknown party even
recognized that the tapes contained personal information.” Recall Total, 83 A.3d at 673 n.9. In contrast
4
5 Policyholder Takeaways From Portal
to the very unique facts of Recall Total, there should be no question that a “publication” exists to trigger
CGL coverage in a typical data breach circumstance. See also Case Highlights Reasons To Consider
Data Breach Insurance, Law360 (Jan. 14, 2014), http://www.law360.com/articles/501168/casehighlights-reasons-to-consider-data-breach-insurance
11
Portal Healthcare 35 F.Supp.3d at 771.
12
Id. at 770.
13
Id. On this point, Portal Healthcare reaches the a conclusion contrary to the conclusion reached by the
New York trial court in the Sony PlayStation coverage litigation, in which the trial court agreed with
Sony’s insurers that “coverage is limited to protect against the purposeful and intentional acts
committed by the insured or its agents [like third-party hackers], not by non-insureds or third-parties.”
Zurich Am. Ins. Co.’s Mem. of Opp. to Sony Computer Entertainment Am. LLC’s Motion for Partial
Summary Judgment and in Support of Cross-Motion for Summary Judgment, at p. 16 (Aug. 30, 2013).
The trial court in Sony accepted the insurer’s argument that the policy coverage is limited to intentional
acts. See Transcript of Proceedings, filed Mar. 3, 2014, at p. 77 (“The question now becomes, was that
a publication that was perpetrated by Sony or was that done by the hackers. There is no way I can find
that Sony did that.”). See also 5 Reasons The Sony Data Breach Coverage Denial Is Wrong, Law360
(Feb. 28, 2014), http://www.law360.com/articles/514248/5-reasons-the-sony-data-breach-coveragedenial-is-wrong?article_related_content=1 Notably, however, the trial court in Sony found that the
“publication” requirement was otherwise satisfied—even though, as in Portal Healthcare, there was no
evidence that the compromised data at issue in the Sony breach was actually published. See Transcript
of Proceedings, filed Mar. 3, 2014, at pp. 42, 77 (“I look at it as a Pandora’s box. Once it is opened it
doesn’t matter who does what with it. It is out there. It is out there in the world, that information….We
are talking about the internet now. We are talking about the electronic age that we live in. So that in
itself, by just merely opening up that safeguard or that safe box where all of the information was, in my
mind my finding is that that is publication. It’s done.”).
14
Portal Healthcare, 35 F.Supp.3d at 771. Separately addressing the “unreasonable publicity” and
“discloses” requirements, the district court held that “the facts and circumstances alleged in the classaction complaint gave ‘unreasonable publicity’ to, and ‘disclose[d]’ information about, patients’ private
lives ….” Id. at 772. By way of background, insurers typically assert in privacy-related cases that the
publication at issue did not violate a “person’s right of privacy” as contemplated by the insurance
contract. Courts generally have construed the “right to privacy” requirement broadly and have found the
requirement satisfied in a broad spectrum of settings.
15
2016 WL 1399517, at *2, *3.
16
The current CGL standard-form policy covers the “offense” of “[o]ral or written publication, in any
manner, of material that violates a person’s right of privacy.” ISO Form CG 00 01 04 13 (2012),
Section I, Coverage B, §14.e. Considering this verbiage and similar iterations of the standard form
language, numerous decisions have found coverage for a wide variety of claims alleging breach of
privacy laws and regulations, including data breach.
17
By way of example, one of the endorsements, entitled “Exclusion - Access Or Disclosure Of
Confidential Or Personal Information”, adds the following exclusion to Coverage B:
This insurance does not apply to:
Access Or Disclosure Of Confidential Or Personal Information
“Personal and advertising injury” arising out of any access to or disclosure of any
person’s or organization's confidential or personal information, including patents,
trade secrets, processing methods, customer lists, financial information, credit card
information, health information or any other type of non public information.
This exclusion applies even if damages are claimed for notification costs, credit
monitoring expenses, forensic expenses, public relations expenses or any other loss,
cost or expense incurred by you or others arising out of any access to or disclosure of
any person's or organization's confidential or personal information.
5
5 Policyholder Takeaways From Portal
CG 21 08 05 14 (2013).
18
See also ISO’s Newly-Filed Data Breach Exclusions Provide Yet Another Reason To Consider “Cyber”
Insurance, Law360 (Sept. 23, 2013), http://www.law360.com/articles/473886/yet-another-reason-toconsider-cyber-insurance
19
Virtually all “cyber” policies provide defense and indemnity coverage for claims arising out of data
breaches and other privacy-related incidents. Importantly, “cyber” policies also typically provide
coverage for the costs and expenses associated with “crisis” or “event” management in the wake of a
data breach incident, including, for example, breach notification, credit monitoring and counseling
services, public relations efforts, and forensics to determine cause and scope of a breach. In addition to
privacy-related coverage, most “cyber” policies offer coverage for, among other things, liability and
exposure arising out of the transmission of malicious code, denial of third-party access to the insured’s
network (DDoS attacks), media liability (for claims for alleging, for example, infringement of copyright
and other intellectual property rights), first-party coverage (for loss of the insured’s own data, for
example), network/supply chain interruption (covering business interruption and extra expense caused
by network incidents), and cyber extortion.
20
5 Tips For Success In Cyberinsurance Litigation, Law360 (July 30, 2015),
http://www.law360.com/articles/681028/5-tips-for-success-in-cyberinsurance-litigation-
21
See, e.g., Travelers Prop. Cas. Co. of Am., et al. v. Federal Recovery Servs., Inc., et al., 103 F.Supp.3d
1297 (D. Utah 2015); Columbia Cas. Co. v. Cottage Health Sys., No., 2:15-cv-03432 (C.D. Cal.) (filed
May 7, 2015). See also Takeaways From the First Cyberinsurance Lawsuit, The Legal Intelligencer
(Aug. 25, 2015), http://www.thelegalintelligencer.com/id=1202735176117/Takeaways-From-the-FirstCyberinsurance-Lawsuit?slreturn=20160320151418; The Devil in the “Cyber” Insurance Details, K&L
Gates Commercial Disputes Alert, (June 11, 2015), http://www.klgates.com/the-devil-in-the-cyberinsurance-details-06-11-2015/; Jeff Sistrunk, The State Of Cyber Coverage Law: 4 Key Decisions,
Law360 (July 30, 2015), http://www.law360.com/privacy/articles/786246?nl_pk=882d66af-f96c-4c85a7fa-ea6a190f0939&utm_source=newsletter&utm_medium=email&utm_campaign=privacy
6
Related documents
OVERVIEW OF THE ADDRESS VERIFICATION PROCESS Office of the University Registrar
OVERVIEW OF THE ADDRESS VERIFICATION PROCESS Office of the University Registrar
Keeping Coverage Online: Fourth Circuit Confirms General Liability Policies
Keeping Coverage Online: Fourth Circuit Confirms General Liability Policies
Global Data & Privacy Update
Global Data & Privacy Update
View session overview, activities and output
View session overview, activities and output
Research information system, what is it?
Research information system, what is it?
Download
advertisement