A federal court in Florida has ruled that the “personal injury” provisions of a Travelers / St. Paul commercial general liability (CGL) policy does not cover a data breach caused by third party hackers.  The court left unresolved the question whether the “property damage” or the costs of compliance with state notification statutes was covered.  Businesses which are exposed to cyber security risks need to review their CGL policies and consider obtaining separate cyber security coverage.

In St. Paul Fire & Marine Insurance Co. v. Rosen Millennium, Inc. and Rosen Hotels & Resorts, Inc., Judge Carlos Mendoza of the U.S. District Court for the Middle District of Florida (Orlando) was called upon to decide this declaratory action over whether the defendants’ CGL policy covered data breach liability and expenses.  The claim arose from a 2016 data breach where third party hackers installed malware on a payment network which led to a potential credit card breach.  Millennium provided data security for Rosen, a major hotel chain with several hotels and resorts in the Orlando area.  Rosen disclosed the data breach to potentially affected customers.

The insurance company denied the claim based upon a Notice of Claim and demand letter it received from the defendants which “track[ed] the language in the ‘personal injury’ provisions of the CGL policies…”  As such, the court confined its analysis to those allegations. The court concluded that the Notice and demand letter contained little substantive information although the demand did state that Millennium had “made private information known to third parties that violated a credit card holder’s right of privacy” (which, again, was wording that tracked the policy).

The court found that a “personal injury” was defined in the insurance policy as an “injury other than a bodily injury or advertising injury, that’s caused by a personal injury offense” and that latter term was defined as, “making known to any person or organization covered material that violates a person’s right of privacy.”  The phrase “making known” was not defined but the parties agreed that it was akin to “publication” despite other courts using more restrictive definitions.

Relying on a prior decision which applied South Carolina law, Innovak International Inc. v. Hanover Insurance Co., the court held that third party hackers, not the insured, caused the data breach.  Borrowing from the Innovak order, the court noted, “the only plausible interpretation of [the insurance policy] is that it requires the insured to be the publisher of the [private information].” Id. at 1348 (noting that “construing the policy to include the acts of third parties ‘would be expanding coverage beyond what the insurance carriers were . . . knowingly entering into.’”

The court concluded:

Here, the policies define “personal injury” in a similar fashion, and therefore, the Court finds Innovak to be persuasive.4 Moreover, the CGL Policies require covered personal injuries to “result[] from [the insured’s] business activities.” RHR’s alleged injuries did not result from Millennium’s business activities but rather the actions of third parties.

TAKEAWAY LESSONS:

• Many CGL policies now explicitly exclude data breach claims.  This requires companies, particularly those in technology sectors, to consider cyber security insurance.
• As mentioned above, there still remains a question whether there is property damage or “notification cost” coverage.  Again, many CGL policies now exclude those items as well.
• Arguably, one might argue that Millennium “made known” the credit card data to the third party hackers and was liable for the reasonably foreseeable disclosure thereafter.  This court did not seem to accept that approach.
• Parties making claims need to be careful when tracking the language of the policy and be sure to be over-inclusive in the arguments for coverage.

Image Credit: Rosen Hotel