In Unpublished Decision, 4th Circuit Finds Duty to Defend Class Action for Data Breach Under CGL Policy
In an unpublished opinion, the U.S. Court of Appeals for the 4th Circuit affirmed a lower court decision finding a duty to defend a class action relating to personal health information under the Coverage B Personal and Advertising coverage grant of a CGL policy. The class action complaint alleged that Portal engaged in conduct resulting in private medical records being available online for over four months by anyone with an Internet connection. The Appellate Court applied Virginia law, using the Eight Corners’ Rule (i.e., analyzing the four corners of the complaint and the four corners of the policy to determine whether the claims were potentially covered). It concluded that the complaint at least potentially or arguably alleged a ”publication” of private medical information, and was dismissive of “Travelers’s efforts to parse alternative dictionary definitions [to] absolve it of the duty to defend.” It reached this conclusion despite an absence of proof that any third parties viewed the information, and the argument that Portal did not intend to publish the information.
The 4th Circuit’s decision is contrary to the recent trend in cases finding no coverage for data breaches under CGL policies. See, e.g., Recall Total Info. Mgmt., Inc., et al. v. Federal Insurance Co., et al., 317 Conn. 46 (finding no coverage under Coverage B where there was no evidence that a third party accessed the information or that any person suffered any damages) and Zurich Am. Ins Co. v. Sony Corp. of Am., No. 651982/2011 (N.Y. Sup. Ct. February 21, 2014) (finding no coverage under coverage B where the alleged publication was not an intentional act committed by the insured, but rather the criminal act of a hacker). Arguably, the import of this decision may be limited because, as an unpublished opinion, it is not binding precedent.