A federal court in Florida recently adopted the now well-developed consensus that data breach losses are not covered under standard Commercial General Liability (CGL) policies. As the Department of Homeland Security’s officially designated 15th annual Cybersecurity Awareness Month comes to a close, the case stands as yet another stark warning that companies of all sizes – any company that uses, collects, stores or handles confidential personal information such as credit card numbers, social security numbers, etc. – MUST address exposure to hacking and other data breach events before they occur. One of the pillars of preparedness for such events is ensuring the company is appropriately insured, so companies should be in close communication with their brokers about standalone cyber products. These products not only respond when data breaches and other hacking events occur, but they often also come with loss prevention services and the underwriting process itself can reveal weaknesses in a company’s cybersecurity regime.
While most companies now recognize the importance of cyber insurance, data from as recently as 2017 indicates that the United States lags behind Canada and Europe on the cyber-insurance uptake rate, with as few as 50 percent of companies having purchased such coverage. It should be clear by now that such coverage is critical.
ISO has promulgated form cyber coverages for several years, and at least as far back as 2013 began recommending and standardizing language to exclude data breaches and other cyber events from standard CGL coverage, as it was never intended to cover these types of risks, which are by now prevalent and well-known.
The policy at issue in St. Paul Fire & Marine Insurance Co. v. Rosen Millennium, Inc., No. 6:17-cv-00540-CEM-GJK (M.D. Fla. Sept. 28, 2018) was issued in early 2014, around the time when these changes to the “modern” commercial insurance regime (i.e., right now, as the cybersecurity landscape has evolved so quickly as to render 2014 ancient history) were nascent. The case shows yet again, however, that standard CGL coverage was never intended to cover these types of risk. In particular, the court held, as others have, that the personal injury coverage in CGL policies is not triggered by third-party liability for exposing the policyholder’s consumer data.
In Rosen, St. Paul Fire & Marine Insurance Company insured Rosen Millennium, Inc. under two consecutive commercial general liability policies that required St. Paul to defend Millennium against claims for bodily injury, property damage, and personal injury. Millennium, a wholly-owned subsidiary of Rosen Hotels & Resorts, Inc., provided data security services for Rosen Hotels. In 2016, Rosen Hotels discovered that it was the subject of a credit card breach that occurred when malware was installed on its payment network. Rosen Hotels provided notification of the data breach to the potentially affected customers.
Rosen Hotels then notified Millennium, contending that the data breach was caused by Millennium’s negligence and inquired whether Millennium had insurance coverage for the loss. Millennium in turn notified its CGL carrier, St. Paul. St. Paul initially issued a reservation of rights letter that stated that there was no coverage for the claim, but invited Millennium to submit additional information. When Millennium did not submit any additional information, St. Paul initiated a declaratory judgment action against Millennium and Rosen Hotels, seeking a declaration that it did not have a duty to defend Millennium against the data breach claim by Rosen Hotels. Thereafter, Rosen Hotels sent a demand letter to Millennium, alleging that it was entitled to payment from Millennium as a result of the data breach.
At the outset, the court noted that it must analyze St. Paul’s duty to defend in light of the demand letter because there was no underlying litigation. According to the court, this demand letter included very little detail and simply tracked the language of the personal injury provisions in the CGL Policies. Because it did not mention property damage or the costs incurred in providing notice of the data breach, the court only addressed coverage under the personal injury provisions.
The St. Paul CGL policies provided coverage for “personal injury” resulting from Millennium’s “business activities.” “Personal injury” was defined as an “injury, other than bodily injury or advertising injury … caused by a personal injury offense.” “Personal injury offense” included “[m]aking known to any person or organization covered material that violates a person’s right to privacy.” The parties agreed that the credit card information released was “covered material” and that “making known” meant “publication,” even though “making known” was not defined in the CGL policies.
The court found that the third-party breaches were not covered by the CGL policies because the publication requirement was not met. In so ruling, the court was persuaded by another recent decision by the same court in Innovak Int’l, Inc. v. Hanover Ins. Co., No. 8:16-CV-2453-MSS-JSS, (M.D. Fla. Nov. 17, 2017). The Innovak court, applying South Carolina law, ruled (as discussed here), that the publication requirement was only satisfied where the insured, not a third-party hacker, was the publisher of the covered material. Quoting the Supreme Court of New York’s seminal decision in Zurich American Insurance Company v. Sony Corporation of America, No. 651982/2011, 2014 WL 8382554 (N.Y. Sup. Ct. Feb. 21, 2014), the Innovak court stated that “construing the policy to include the acts of third parties ‘would expand coverage beyond what the insurance carriers were … knowingly entering into.’”
Thus, because Millennium itself did not publish the breached credit card information, the court ruled that the personal injury coverage was not triggered. The court further noted that any “personal injury” would not have resulted from Millennium’s “business activities,” as required by the CGL policies, but instead from the actions of third parties. Lastly, the court distinguished several other data breach cases finding a duty to defend because none of those cases involved data breaches caused by third parties. Given that the court found no coverage under the insuring agreement, it did not address any exclusions in the policy, although it appears St. Paul may have had arguments regarding the applicability of a cyber-related exclusion.
Given the time frame involved, it is not surprising that Millennium had by then also purchased cyber-specific coverage. Indeed, St. Paul relied on this fact, pointing out in its motion for summary judgment that Millennium had cyber coverage through a Beazley Breach Response policy issued to both Millennium and Rosen. Unfortunately for Millennium, Beazley also denied coverage for the loss under the breach response policy because the loss occurred prior to that policy’s retroactive date, further highlighting the importance of obtaining a policy that effectively covers the policyholder’s cyber risk.
While the policyholder has filed a notice of appeal, it is unlikely the Eleventh Circuit will disturb the result. There is no indication as to whether Millennium is also pursuing Beazley regarding its denial, or may be seeking other avenues of recourse, such as action against its broker. But the result is a clear warning to companies that remain undecided about purchasing cyber coverage, regardless of their size. Just as no company with a fleet of vehicles would ever fail to consider purchasing commercial auto insurance, no company that handles customer payment information (which is nearly every company) should fail to consider purchasing data breach coverage.