Insurance companies may have to pay your lawyer for a cybersecurity incident, but not you

This blog has covered a number of disputes between insureds and insurance companies resulting from cybersecurity incidents. Many of these cases have been resolved in favor of the insurance companies when courts rule that policy language does not cover an insured’s particular cyberloss. However, a recent case from the United States Court of Appeals for the Fourth Circuit provides some relief to insureds.

The case of Travelers v. Portal Healthcare Solutions highlights an important issue in insurance coverage cases. There are two types of coverage that insureds are interested in when they experience a loss: (1) coverage that will pay attorneys’ fees and related costs, and (2) coverage that will pay for any monetary loss. Most cases focus on the second type of coverage, because ultimately monetary losses can be large after a cybersecurity incident. For example, this blog has covered incidents where companies lost over $4 million and over $2 million.

However, coverage for attorneys’ fees is also important. In most states, including Iowa, applicable insurance law provides that the duty to defend is broader than the duty to provide coverage. In other words, insurance companies will be required to pay attorneys’ fees in more cases than the insurance companies will have to pay for monetary losses. So long as the claims in a lawsuit are probably, or even arguably, within the scope of an insurance policy the insurance company has to pay the costs to defend the case.

Travelers v. Portal Healthcare Solutions addressed the scope of Travelers’ duty to defend Portal Healthcare Solutions (“PHS”) after a cybersecurity incident. PHS electronically stores patient medical records for hospitals, clinics, and other medical providers. According to several patients, PHS posted patient medical records publicly online for four months. Two patients noticed the records were public when they searched for their names on Google. The first link to appear took them to their medical records. The two patients initiated a class action lawsuit against PHS for publicly posting patient medical records.

PHS reported the class action lawsuit to Travelers and requested coverage, including coverage for the cost of defending the class action lawsuit. Travelers denied that it had any obligation to pay PHS’s defense costs, because Travelers’ policy did not cover this kind of publication of patient medical records.

PHS had two insurance policies from Travelers that were relevant to this dispute. The first policy covered the period from January 31, 2012 to January 31, 2013 (“2012 Policy”), and the second from January 31, 2013 to January 31, 2014 (“2013 Policy”). While similar, the policy language providing coverage for the publication of medical records varied slightly from the 2012 Policy to the 2013 Policy:

The 2012 and 2013 Policies obligate Travelers to pay sums [PHS] becomes legally obligated to pay as damages because of injury arising from (1) the “electronic publication of material that . . . gives unreasonable publicity to a person’s private life” (. . . 2012 Policy) or (2) the “electronic publication of material that . . . discloses information about a person’s private life” (. . . 2013 Policy).

Travelers argued that the policies did not cover publication of patient medical records in this case. Rather, according to Travelers there was no (1) electronic publication, or (2) disclosure of, or unreasonable publicity to, information about patients’ private lives.

First, Travelers argued that no publication occurred because there was no proof that anyone other than the patients accessed the records, and PHS did not intend to make the records available to the public. The Court rejected both arguments. The Court explained that it was irrelevant whether there was proof that any third parties accessed the information because the information was available to third parties. The Court also explained that whether a record is published does not depend on the intent of the publisher—all that matters is the record is available to the public.

Second, Travelers argued PHS had not “publicized” the records because PHS did not draw attention to them. The Court rejected that argument by noting that “quite literally, any member of the public can view, download, or copy those records.”

Travelers also argued that PHS did not disclose the records because the two patients who filed the suit only viewed their own records. The Court rejected that argument by explaining that the records were “disclosed” as soon as they were posted online.

The Court’s ruling is a significant victory for PHS. Travelers will have to pay PHS’s defense costs in the patient class action lawsuit against PHS. However, this is just the first step for PHS. Travelers will likely dispute that it is obligated to cover any monetary judgment entered against PHS, and there may be other policy language that governs that issue.

This case is another good example of why it is important to implement controls and procedures to minimize the risk of accidental disclosure or other cybersecurity incidents. Furthermore, it is important to review insurance policy language before purchasing a policy to determine the scope of insurance coverage, and make sure it actually covers the losses your organization might suffer.

The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.

- John Lande