Florida Court Finds Data Breach Not Covered by Travelers / St. Paul CGL Insurance Policy

Data Breach

A federal court in Florida has ruled that the “personal injury” provisions of a Travelers / St. Paul commercial general liability (CGL) policy does not cover a data breach caused by third party hackers.  The court left unresolved the question whether the “property damage” or the costs of compliance with state notification statutes was covered.  Businesses which are exposed to cyber security risks need to review their CGL policies and consider obtaining separate cyber security coverage.

In St. Paul Fire & Marine Insurance Co. v. Rosen Millennium, Inc. and Rosen Hotels & Resorts, Inc., Judge Carlos Mendoza of the U.S. District Court for the Middle District of Florida (Orlando) was called upon to decide this declaratory action over whether the defendants’ CGL policy covered data breach liability and expenses.  The claim arose from a 2016 data breach where third party hackers installed malware on a payment network which led to a potential credit card breach.  Millennium provided data security for Rosen, a major hotel chain with several hotels and resorts in the Orlando area.  Rosen disclosed the data breach to potentially affected customers.

The insurance company denied the claim based upon a Notice of Claim and demand letter it received from the defendants which “track[ed] the language in the ‘personal injury’ provisions of the CGL policies…”  As such, the court confined its analysis to those allegations. The court concluded that the Notice and demand letter contained little substantive information although the demand did state that Millennium had “made private information known to third parties that violated a credit card holder’s right of privacy” (which, again, was wording that tracked the policy).

The court found that a “personal injury” was defined in the insurance policy as an “injury other than a bodily injury or advertising injury, that’s caused by a personal injury offense” and that latter term was defined as, “making known to any person or organization covered material that violates a person’s right of privacy.”  The phrase “making known” was not defined but the parties agreed that it was akin to “publication” despite other courts using more restrictive definitions.

Relying on a prior decision which applied South Carolina law, Innovak International Inc. v. Hanover Insurance Co., the court held that third party hackers, not the insured, caused the data breach.  Borrowing from the Innovak order, the court noted, “the only plausible interpretation of [the insurance policy] is that it requires the insured to be the publisher of the [private information].” Id. at 1348 (noting that “construing the policy to include the acts of third parties ‘would be expanding coverage beyond what the insurance carriers were . . . knowingly entering into.’”

The court concluded:

Here, the policies define “personal injury” in a similar fashion, and therefore, the Court finds Innovak to be persuasive.4 Moreover, the CGL Policies require covered personal injuries to “result[] from [the insured’s] business activities.” RHR’s alleged injuries did not result from Millennium’s business activities but rather the actions of third parties.

TAKEAWAY LESSONS:

  • Many CGL policies now explicitly exclude data breach claims.  This requires companies, particularly those in technology sectors, to consider cyber security insurance.
  • As mentioned above, there still remains a question whether there is property damage or “notification cost” coverage.  Again, many CGL policies now exclude those items as well.
  • Arguably, one might argue that Millennium “made known” the credit card data to the third party hackers and was liable for the reasonably foreseeable disclosure thereafter.  This court did not seem to accept that approach.
  • Parties making claims need to be careful when tracking the language of the policy and be sure to be over-inclusive in the arguments for coverage.

Image Credit: Rosen Hotel

Data Breach
Christopher Hopkins Speaks to ASIS International (Broward / Fort Lauderdale) Regarding Anatomy of a Data Breach Lawsuit

Special thanks to ASIS International (Broward County, Florida chapter) for inviting me to speak to them about data breach and cyber security litigation. You can review my powerpoint, here, which explains data breaches in general and then discusses how claims / litigation arises.  Most importantly, we discussed how companies can …

Data Breach
Want to Try Anonymity on the Internet or the Dark Web? New Tor Browser 8 is here… and free

The Tor browser, which helps anonymize your internetting, has been updated to version 8.  It’s free and worth having on your desktop. First, these steps simple install a secondary browser on your computer.  No spyware.  It’s not illegal.  It’s just a simple browser. Download it here.  It will ask you …

Arbitration Mediation
Florida Dispute Resolution Conference 2018: Christopher Hopkins Discusses ESI/E-Discovery for Mediators AND Cyber Security and Data Breach for Mediators

Thanks to the Florida Dispute Resolution Conference for inviting me to speak at the 2018 conference. Topics covered: 25 ESI and E-Discovery Terms for Mediators in 75 minutes and Cybersecurity and Data Breach for Mediators. You can download the presentations here and here. If you would like CME points, you …