On April 11, 2016, the Fourth Circuit Court of Appeals held that Travelers Indemnity Company must defend its insured, Portal Healthcare LLC, for Portal’s failure to secure patients’ medical records during a four-month period in late 2013 and early 2014. For educational institutions, the opinion serves as a reminder that the facts surrounding each privacy event matter significantly when deciding where to look for potential insurance coverage. Here, the policyholder was able to trigger coverage under its commercial general liability (CGL) insurance policies, where the insurer had insisted that coverage was only potentially available under more specialized cyber-liability or professional liability insurance policies.
According to the underlying class-action complaint giving rise to Portal’s claim for coverage, Portal left patients’ medical records accessible online and without password protection. Two named plaintiffs found their records after conducting a Google search on their names. Portal notified Travelers, who in turn rejected Portal’s request for a defense, based on its belief that there had not been a “publication” of private medical information.
For many years, CGL insurance policies have provided coverage for, among other things, oral or written publication of material that violates a person’s right of privacy. In this case, there is no question that the medical records constituted material within the scope of the patients’ right of privacy. Travelers’ denial of coverage and arguments before the court asserted that there was no oral or written “publication” of the material. “Publication” was not defined under the CGL insurance policies at issue. The Fourth Circuit, agreeing with the district court, held that making the records available online “at least reasonably or arguably” constituted “publication.”
Aside from the prohibitions and obligations set forth in the Family Educational Rights and Privacy Act of 1974 (FERPA), universities and educational institutions face unique privacy and data-security issues, as highlighted in the past few years. Most notable among these risks are the continued tensions created by competitive big data (i.e., the university’s belief that it should be able to use data about its students, juxtaposed with the students’ belief that no data should be collected, much less used), the use of medical records or other confidential information in connection with disciplinary actions or court proceedings, to the day-to-day maintenance of significant personally identifiable information. In mitigating these risks, no potential source of insurance coverage should be overlooked. The Fourth Circuit’s opinion provides some best practices with respect to insurance, as well as preparing for and responding to a privacy event or data breach:
- Identify the potential for coverage. Well in advance of renewal of your CGL, directors’ and officers’, and cyber-liability insurance policies, carefully analyze the potential for coverage for liability arising out of a possible privacy event or breach. For educational institutions, this means surveying the issues faced by peer institutions in the past year, as well as having a full understanding of any big data-related initiatives.
- Aggressively negotiate policy terms. Where negotiation of the policy terms is possible, and they are in many cases, think strategically about how best to address any gaps in coverage. Also, carefully evaluate the implications of asking an insurer to clarify potential ambiguous terms (in this case, “publication”) based on the law that would apply to the interpretation of the policy. Sometimes an ambiguous term, coupled with case law, is good for the insured; sometimes it is not. It is important to know when each is the case.
- Privileged communications safeguard against surprises in contested claims. Understand that discussions of these issues (potential risks, initiatives, gaps in coverage, etc.) can be privileged if conducted with a coverage attorney. However, those same conversations may not be if conducted with an insurance broker. For universities and educational institutions, particularly those that may be subject to public record requests or external oversight, this point cannot be overstated.
- Don’t judge a policy’s coverage by its title. When a potential claim has occurred, evaluate each of your insurance policies for coverage. Never assume that a certain type of insurance policy will not respond, and keep up to date on changes in the law that might apply.
- Whether there may be coverage can change. As facts or the case develops, periodically revisit the initial conclusion regarding the availability of coverage under each of your insurance policies.