Twitter LinkedIn Share this page Facebook RSS


Insurance Law BlogLegal updates, news, and commentary from the attorneys of Baker Sterchi Cowden & Rice LLC

A CGL Policy May Provide A Duty To Defend Data Breach Claims – 4th Circuit Court of Appeals Decision

April 14, 2016 | Thomas Rice

The 4th Circuit Court of Appeals has ruled that a commercial general liability policy (CGL) may cover a data breach, at least for the purposes of a duty to defend. In a case involving the publication of private medical records on the internet, the federal appellate court agreed with the lower federal district court in Virginia that coverage included in a CGL for personal and advertising injury applied.  The Travelers Indemn. Co. of Amer. v. Portal Healthcare Solutions, LLC, slip op., Case No. 14-1944 (4th Cir. April 11, 2016).

The underlying class-action complaint alleges that Portal and others engaged in tortious conduct that resulted in the plaintiffs’ private medical records being available on the internet for more than four months. During the alleged tortious conduct, Portal was insured under two CGL insurance policies issued by Travelers,  in 2012 and 2013. Travelers argued its 2012 and 2013 CGL policies did not require it to defend Portal because the class-action complaint fails to allege a covered “publication” by Portal or any other covered conduct within the scope of the CGL policies. 

The federal appellate court, in finding that Travelers has a duty to defend Portal from the class action, characterized those arguments as “efforts to parse alternative dictionary definitions”.  The federal appellate court applied the Virginia “Eight Corners’ Rule” by looking to “the four corners of the underlying complaint” and “the four corners of the underlying insurance policies” to determine whether Travelers is obliged to defend Portal. 

The 4th Circuit Court agreed with the lower court’s opinion that the class-action complaint at least potentially alleges a publication of private medical information by Portal that constitutes conduct covered under the policies. The federal appellate court further explained that such conduct, if proven, could have given unreasonable publicity to, and disclosed information about, patients’ private lives, because any member of the public with an internet connection could have viewed the plaintiffs’ private medical records during the time the records were available online. 

This ruling significantly increases the risk of future coverage claims for data breach losses under traditional CGL policies, based on its broader interpretation of the term “publication” as used in those policies.

About Insurance Law Blog

The BSCR Insurance Blog examines topics and developments of interest to insurance carriers, with a particular focus on Missouri and Kansas law. Learn more about the editor, Angela Higgin Clark, and our Insurance practice.


The Insurance Law Blog is made available by Baker Sterchi Cowden & Rice LLC for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. Your use of this blog site alone creates no attorney client relationship between you and the firm.


Do not include confidential information in comments or other feedback or messages related to the Insurance Law Blog, as these are neither confidential nor secure methods of communicating with attorneys. The Insurance Law Blog should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.


For Important Legal Updates and Resources on the Coronavirus Click Here.