The US Court of Appeals for the Fourth Circuit rendered an unpublished opinion on the above referenced action pursuant to cross-motions for summary judgment filed by the parties in US District Court for the Eastern District of Virginia. The dispute arose over whether Travelers had a duty to defend Portal against class-action allegations that Portal posted confidential medical records on the internet. The US District Court concluded that Travelers did have a duty to defend Portal against the underlying class action and the US Court of Appeals affirmed. Keep in mind that an insurer’s duty to defend is generally construed more broadly than its duty to indemnify.
The district court included the following paragraph in the background section related to the language found in the 2012 and 2013 policies issued by Travelers:
The 2012 and 2013 Policies obligate Travelers to pay sums Portal becomes legally obligated to pay as damages because of injury arising from (1) the “electronic publication of material that … gives unreasonable publicity to a person’s private life” (the language found in the 2012 Policy) or (2) the “electronic publication of material that … discloses information about a person’s private life” (the language found in the 2013 Policy). (See doc. 1, at 5-6)
Personal and advertising injury liability coverage is offered under Coverage B in the CG 00 01 04 13 CGL policy form published by ISO. The insuring agreement for Coverage B covers sums that the insured becomes legally obligated to pay as damages because of “personal and advertising injury” to which this insurance applies. The insuring agreement also covers defense of the insured against any “suit” seeking those damages. “Personal and advertising injury” means injury, including consequential “bodily injury”, arising out of one or more of the following offenses: …e. Oral or written publication, in any manner, that violates a person’s right of privacy. In the Travelers case, the district court concluded (and the appeals court affirmed) that making confidential medical records publicly assessable via an internet search does fall within the plain meaning of “publication”, even if the publication was unintentional. The court also determined that posting confidential medical records online without security restriction gives “unreasonable publicity” to, and “disclosure” of information about, patients’ private lives.
I believe one could argue that, given similar circumstances to those in the Travelers case, there is at least the potential for coverage under the ISO CGL form sufficient to give rise to a duty to defend on the part of the insurer.
Turning to the issue of limits, the most common limits we see on a standard CGL policy are $1,000,000 with a general aggregate limit of $2,000,000. In the ISO CG 00 01 04 13, Section III – LIMITS OF INSURANCE, Part 1. states:
1. The limits of Insurance shown in the Declarations and the rules below fix the
most we will pay regardless of the number of:
b. Claims made or “suits” brought; or
c. Persons or organizations making claims or bringing “suits”.
2. The General Aggregate Limit is the most we will pay for the sum of:
a. Medical expenses under Coverage C;
b. Damages under Coverage A, except damages because of “bodily injury” or
“property damage” included in the “products-completed operations
c. Damages under Coverage B.
The following subpart also applies to the “personal and advertising” limit;
4. Subject to Paragraph 2. above, the Personal and Advertising Injury Limit is the most we will pay under Coverage B for the sum of all damages because of all “personal and advertising injury” sustained by any one person or organization.
My reading of the above policy language from the ISO CGL policy, and supported by expert commentary from IRMI – How the Limits Apply in the CGL, the Personal and Advertising limit applies separately to each person or organization that sustains damages because of a covered offense or offenses. Consequently, in an action by multiple plaintiffs arising out of the same offense, multiple Personal and Advertising limits could be exposed but limited by the general aggregate limit under each policy period. Once the aggregate limit under the policy is exhausted, no further claims be made against the policy term as set forth in Part 2 above, with the exception of products-completed operations losses.
One of the key findings in this case is that “publication”, for purposes of qualifying for coverage under personal and advertising injury coverage in a CGL, does not have to be intentional nor would it have to be actually accessed by an outside party. This raises the possibility for coverage for “personal and advertising injury” for accident publications of information which violates a person’s right to privacy.
ISO has developed several coverage endorsements which provide more flexibility in how insurers choose to address cyber exposure, including an optional endorsement which deletes the invasion of privacy-related offense from the definition of personal and advertising injury applicable to Coverage B under the ISO CGL Coverage Form. A summary of some of these options can be found in an article published by Insurance Journal – ISO Comments on CGL Endorsements for Data Breach Liability Exclusion.
Urban Friesz works as a Vice President and Senior Claims Specialist in our Minneapolis, MN location. He can be reached by phone at 952-229-8856 or by email at firstname.lastname@example.org
Disclaimer: This article and the Website content that can be linked to through this article are offered for informational purposes only. The article and linked-to Website content are made available without warranty of any kind. They are not offered or intended as advice on any specific facts or circumstances, and you should not rely on them as a substitute for independently obtaining such advice.