April 3, 2020

April 03, 2020

Subscribe to Latest Legal News and Analysis

April 02, 2020

Subscribe to Latest Legal News and Analysis

April 01, 2020

Subscribe to Latest Legal News and Analysis

Federal Appeals Court Holds Data Breach Class Action Triggers Insurer's Duty to Defend under General Liability Policy

A federal court of appeals held that general insurance policies cover a data breach class action in a case that is highly likely to impact how courts throughout the country resolve insurance claims related to cyberattacks and policy renewal negotiations.

On April 11, 2016, the United States Court of Appeals for the Fourth Circuit upheld a trial court’s finding that Travelers Indemnity Company of America is required to defend Portal Healthcare Solutions, LLC in a class action filed in New York. In the original case, two plaintiffs filed a class action alleging that Portal failed to safeguard their confidential medical records when they were made publicly accessible on the internet. Travelers filed a separate action seeking a declaratory judgment that it was not required to defend Portal. Travelers argued that the class representatives had not alleged that Portal had “published,” given “undue publicity,” or “disclosed” the plaintiffs’ information to any third party, to trigger coverage under the policies.

Applying Virginia law, the trial court disagreed, finding that it was required to follow the “Eight Corners Rule” by looking to the four corners of the class action complaint to determine whether it alleged grounds for liability “potentially or arguably covered” by the four corners of the insurance policies. The trial court concluded that since the policies did not define the operative terms “publication,” “unreasonable publicity,” or “disclose,” those terms would be given their plain and ordinary meaning. Citing common dictionaries, the court found that the tort alleged in the class action – i.e., exposing the plaintiffs’ medical records online – constituted publication, unreasonable publicity, and disclosure of the medical records even if the only individuals who actually saw the records were the plaintiffs. Thus, the court concluded, Travelers was required to provide a defense to Portal.

The Fourth Circuit upheld the trial court’s ruling, holding that the trial court correctly applied the Eight Corners Rule, particularly because “under Virginia law, an insurer’s duty to defend an insured is broader than its obligation to pay or indemnify an insured” and that “the insurer must use language clear enough to avoid ambiguity if there are particular types of coverage that it does not want to provide.”

Although the Fourth Circuit was interpreting Virginia law, most jurisdictions throughout the United States – including Utah – apply the Eight Corners Rule and, even where the rule is articulated differently, as in Colorado, courts universally hold that insurance companies have a broad duty to defend.

The ruling has significant implications for claims under existing or prior policies. First, companies that are or have been the target of cyberattacks likely have a strong claim that their existing general insurance policies cover any ensuing litigation related to the cyberattacks. Because a company may not discover that it was the target of a cyberattack until months or years afterwards, insurance companies will likely have to cover significant claims covered by current or prior policies for years to come.

Second, companies should pay close attention to the definitions and exclusions proposed by their insurance companies during negotiation of their policy renewals. As most policies are annual, insurance companies are likely to carefully define the exclusions to heed the Fourth Circuit’s admonition that they must clearly identify the types of data disclosures they intend to exclude from coverage. Given the increased frequency of cyberattacks, companies should bargain equally as hard for protection under their policies in the event they become the next victim of a data breach.

The case is Travelers Indemnity Co. of America vs. Portal Healthcare Solutions, L.L.C., Case No. 14-1944 (4th Cir. April 11, 2016).

    Copyright Holland & Hart LLP 1995-2020.


    About this Author

    Michael J. Carrigan, Holland Hart, complex business dispute attorney, insurance coverage lawyer, government investigations legal counsel

    Mr. Carrigan represents companies and individuals involved in complex business disputes regarding government investigations, insurance coverage, and contracts. Mr. Carrigan leads the firm's Insurance and Coverage and risk management group and has significant experience in litigating coverage disputes on behalf of policyholders.   A former Senior Deputy District Attorney, Mr. Carrigan has tried over one hundred cases to judge and jury, and has litigated cases in the Colorado Court of Appeals, the Colorado Supreme Court, the United States District Court for the District of...

    Romaine C. Marshall, Holland Hart, Software Technology Litigation Lawyer, Arbitration Attorney

    Mr. Marshall is a litigation and trial attorney in the Salt Lake City office who represents businesses in the software, technology, financial and technical services, and energy and natural resources industries. He distills complex factual and legal issues to effectively persuade judges, juries, and opposing parties at trial and arbitration. He also counsels clients how to avoid the business expense and disruption of litigation and trial through settlement, pretrial dispositive relief, and other dispute resolution options. Mr. Marshall has represented clients in disputes before and on behalf of numerous federal and state agencies including the SEC, FDIC, FBI, IRS, and the Utah Department of Insurance.

    Prior to joining Holland & Hart, Mr. Marshall was a judicial law clerk for the Honorable J. Thomas Greene for the U.S. Federal District Court in Utah.

    Software and Technology Litigation

    • Obtained injunctive relief and favorable settlement for telecommunications provider in data breach and misappropriation of trade secrets case.

    • Successfully opposed attempts to cease operations of software company in California and defended company's former CEO in Utah against claims for fraud, data theft, and trade secret misappropriation.

    • Successfully defended software distribution and CRM company in California and negotiated voluntary dismissal of all claims by software manufacturer.

     Engels J. Tejeda, Holland Hart, Bankruptcy Court Lawyer, Complex Commercial Matters Attorney
    Of Counsel

    Engels J. Tejeda represents businesses and individuals in state, federal, and bankruptcy courts in complex commercial litigation. His litigation experience includes finance disputes, business torts, title disputes, repossession and deficiency claims under the Uniform Commercial Code and state foreclosure statutes, actions under the Bankruptcy Code and the Fair Credit Reporting Act, and judgment enforcement proceedings.

    In addition to his litigation experience, Mr. Tejeda negotiates and drafts loan workouts, settlement agreements, bills of sale,...