Legal bloggers sometimes ask themselves: If my post appears on the Internet, but there’s no evidence anyone has read it, have I been published? The question has not yet been finally resolved among law firm compensation committees, but, in the data privacy context, a federal court in Virginia recently offered an emphatic “yes.” In Travelers Indemnity Company of America v. Portal Healthcare Solutions, LLC, No. 1:13-cv-917(GBL) (E.D. Va. Aug. 7, 2014), the court found that a policyholder’s having posted confidential medical information on the Internet triggered coverage for claims based on “electronic publication of material that … discloses information about a person’s private life,” even if no third party had ever viewed the information.
How Not to Store Data
Portal Healthcare Solutions provides electronic storage and maintenance of medical records for healthcare providers, including Glen Falls Hospital. In early 2013, two patients from the facility “Googled” their own names and found that the very first search results linked directly to their confidential Glen Falls medical records. The records, it seems, had been posted on the Internet without security restrictions. In April 2013, Portal was named as a defendant in a class action.
Portal was covered by two policies that obligated Travelers to pay sums Portal became legally obligated to pay as damages, because of injury resulting from the “electronic publication of material” that “gives unreasonable publicity” to, or “discloses information” about, a “person’s private life.” In April 2014, Travelers filed its own action, seeking a declaration that it had no duty to defend the class action. Portal immediately responded by moving for summary judgment.
“Publication”
The policies did not define the term “publication,” so the court adopted the dictionary definition: “to place before the public (as through a mass medium).” Travelers argued that Portal’s conduct did not constitute a “publication” for two reasons. First, Portal did not intend to effect a “publication,” because “the entire purpose of the services Portal provided was to keep the medical records private and confidential.” The court rejected this argument, finding that the definition of “publication” does not hinge on a would-be publisher’s intent; an unintentional publication is still a publication.
Second, Travelers argued that no third-party was alleged to have viewed the confidential information on the Internet – the plaintiffs themselves were the only ones who had accessed it. Thus, the plaintiffs failed to allege that the publication had “disclose[d] information” about the plaintiffs or “give[n] unreasonable publicity” to their private lives. The court rejected that argument, as well, finding that “’publication’ does not hinge on third-party access.”
Publication occurs when information is “placed before the public,” not when a member of the public reads the information placed before it. By Travelers’ logic, a book that is bound and placed on the shelves of Barnes & Noble is not “published” until a customer takes the book off the shelf and reads it.
This reasoning has its limits. Earlier this year, in Recall Total Information Management v. Federal Ins. Co., 83 A.3d 664 (Conn. Ct. App. 2014), a Connecticut appellate court considered whether confidential information had been “published” when electronic tapes containing that information fell out of the back of a van and were never recovered. Because there was no evidence that anyone had actually accessed the information on the tapes, the court held that the information had not been “published” within the meaning of the plaintiff’s policy. In that case, however, the court also found it significant that the tapes could not be read by a personal computer.
“Publicity” and “Disclosure”
The court also rejected Traveler’s more focused arguments that there had been no “publicity” or “disclosure.” Although Travelers suggested that Portal’s inadvertent posting of the medical records were not “steps designed to attract public interest or gain public attention or support,” the court found that this was only one definition of “publicity.” The “broader and primary” definition of the term, however, was “the quality or state of being obvious or exposed to the general view“—which, court determined, was certainly met by giving “quite literally, any member of the public” the ability to “view, download, or copy [the unsecured medical] records.”
Similarly, the court found that the plain meaning of “disclosure” was “the act or process of making known something that was previously unknown.” In the court’s view, posting the medical records online was to engage in the process of making previously unknown records known to the public at large – regardless of whether any member of the public actually viewed them. In other words, with respect to coverage under the Travelers policies, all that really mattered was that the tree fell; whether it made a sound is beside the point.
Accordingly, the court found that exposing confidential records to public online searching placed highly sensitive, personal information before the public and, thus, arguably fell within the policies’ coverage, triggering Travelers’ duty to defend. The opinion was silent as to what the class action plaintiffs’ act of “Googling” their respective names implied about them.
Image source: Tiia Monto (Wikimedia)