While some courts have found coverage for data breach claims under CGL policies, there should be little dispute that the best way to limit risk is to obtain a cyber policy rather than hoping for coverage under a CGL policy.
The decision in St. Paul Fire & Marine Ins. Co. v. Rossen Millennium, Inc., case no. 17-cv-540, provides the latest example of a court finding no coverage for a data breach under a commercial general liability insurance policy (“CGL”). In Rosen Millennium, the Federal District Court for the Middle District of Florida issued an order on September 28, 2018, finding no coverage for a data breach under two CGL policies issued to defendant, Rosen Millennium (“Rosen”).
Rosen was providing data security services to Rosen Hotels & Resorts (“RHR”) when they discovered a potential breach of credit cards at a hotel in February of 2016. The forensic investigator determined information related to the credit cards provided by hotel patrons was breached and RHR took steps to notify the patrons in March of 2016.
Rosen submitted a notice of claim to its insurer, St. Paul Fire & Marine (“Travelers”) in December of 2016, which stated RHR claimed the breach was the result of Rosen’s negligence. Travelers issued a reservation of rights denying coverage and requesting Rosen provide any information it believes may impact St. Paul’s coverage determination. Shortly thereafter, Travelers filed this declaratory seeking a determination of its duty to defend Millennium against RHR’s negligence claims. Even though RHR did not file suit, they claimed a demand letter from RHR and Millennium’s Notice of Claim and created a controversy as to Traveler’s duty to defend Millennium under the CGL policies.
- The Allegations Against Rosen Did Not Constitute “Property Damage” Under the CGL Policies
In granting Traveler’s motion for summary judgment, the District Court first opined that the Notice of Claim (which contained only the relevant dates of the breach) and demand letter (which provided only that Rosen exposed private information to third parties) did not trigger Traveler’s defense obligation under the policy. In particular, the District Court found these documents “make no mention of, let alone a claim for, property damage or the costs incurred from complying with notification statutes.” Consequently, the District Court found Rosen’s claims for coverage not ripe and held Travelers had no “duty to defend a hypothetical claim.”
- The Allegations Against Rosen Did Not Constitute “Personal Injury” Under the CGL Policies
The District also rejected Rosen’s assertion that RHR’s allegations constituted “personal injury” as that term is defined under the CGL Policies. In particular, the CGL Policies defined personal injury as “injury, other than bodily injury or advertising injury, that’s caused by a personal injury offense.” And, the CGL policies defined “personal injury offense” as “[m]aking known to any person or organization covered material that violates a person’s right of privacy.” The central question in the District Court’s analysis is whether the material, or personal information, was “made known” by Rosen and, therefore, constitutes a personal injury offense. Both parties agreed “making known” “is synonymous with ‘publication.’”
In addressing this question, Travelers argued that the allegations against Rosen do not constitute publication because “third-party data breaches are not covered under” CGL policies. That is, there is no coverage because the alleged injuries do not result from Rosen’s “business activities but rather the actions of third parties.” In other words, there is no coverage for these claims because, if there was a publication, the publication was not done by the insured, Rosen.
This decision serves as another reminder that only a sliver of the data breach cases even arguably trigger coverage under a CGL policy. On the other hand, the insurance marketplace has solved the problem Rosen faced in this matter by offering cyber insurance policies that are specifically designed to provide cyber coverage.
Please contact Todd M. Rowe (firstname.lastname@example.org) for additional questions or for a copy of this decision.