A U.S District Court in Florida’s ruling could have wide-reaching effects with respect to an insurer’s duty to defend commercial general liability policyholders in data breach cases resulting from the acts of third parties.
The Sept. 28 decision came in the case of St. Paul Fire & Marine Ins. Co. v. Rosen Millennium, Inc., where the Travelers Co. commercial general liability (CGL) insurer brought a declaratory judgment action against its information technology company insured and the hotel for which its insured performed IT services.
St. Paul sought a declaration from the court that it did not have a duty to defend Rosen Millennium against a data breach claim perpetrated by a third party against Rosen Hotels & Resorts Inc., for which Millennium provided datasecurity services. The St. Paul CGL policy issued to the IT service provider provided certain coverage for property damage and certain coverage for personal injury.
Case Background
In 2016, the Orlando, Fla.-based hotel chain Rosen Hotels & Resorts Inc. became aware of a potential data breach at one of its hotels that affected its customers’ credit cards that had been used at the hotel. Following the discovery of the data breach, a forensic investigator conducted an investigation and concluded that the data breach resulted from the installation of malware on the hotel chain’s payment network by a third party.
Subsequently, Millennium sent a “Notice of Claim” to the insurer inquiring as to whether the policy provided insurance coverage for the data breach which the hotel chain alleged resulted from its negligence. In response, St. Paul sent a reservation of rights letter to the insured informing it that the policies did not provide coverage for the loss. Because of the coverage dispute, St. Paul then filed a declaratory action against Millennium to determine whether the insurer had a duty to defend it under the policies.
Millennium subsequently sent a demand letter it received from the Rosen hotel chain to the insurer alleging that Millennium was required to issue payment to the hotel chain as a result of the data breach.
Court Decision
First, the court determined that because it must confine its analysis to the allegations of the underlying claim when determining whether a duty to defend exists, and because the insured did not make a claim for property damage or the costs incurred for complying with notification statutes in its Notice of Claim, the issue of whether the CGL policies would cover those claims was not ripe.
With respect to the insured’s remaining claims under the personal injury provisions of the policies, the court found that as the insurer never admitted the existence of coverage, it did not waive its ability to deny coverage.
The court then looked to the language of the policies and concluded that they did not require the insurer to defend the insured because the hotel chain’s claims were not covered under the personal injury provisions of the CGL policies. Specifically, the policies provided coverage for “personal injury,” defined as an “injury, other than bodily injury or advertising injury, that’s caused by a personal injury or offense,” including “[m]aking known to any person or organization covered material that vio lates a person’s right of privacy.” Although the policies did not define the term “making known,” the parties agreed that the term meant “to publish.” The interpretation and application of the policy language “making known” is what was dispositive to the court.
The court cited Innovak International, Inc. v. Hanover Ins. Co., 280 F. Supp. 3d 1340 (M.D. Fla. 2017) which found no coverage when third party hackers, not the insured, caused the data breach. The Innovak court interpreted similar policy language to that at issue and found that for coverage to exist, the language required the insured to be the publisher of the private information. Because a third party published the information, not the insured, the Innovak court found the claims were not covered.
The court found the Innovak argument persuasive and ruled that because the alleged injuries resulted from the actions of third parties, not the actions of the insured, the personal injury claim was not covered under the CGL policies, and the insurer had no duty to defend the insured IT company. Because it was not the insured which “made known” the information but rather a third party, there was no coverage under the policy.
In light of this decision, in cases involving data breaches by third parties insurers and their counsel should always carefully compare and analyze the language of the policy with the facts of the case when determining whether there is a duty to defend.
Topics Lawsuits Florida Cyber Carriers Data Driven
Was this article valuable?
Here are more articles you may enjoy.
Former Congressman Charged After Collision with State Trooper in Florida 
Dubai Floods Expose Weaknesses to a Rapidly Changing Climate 
AIG General Insurance Chairman McElroy to Retire May 1 
Vintage Ferrari Owners’ Favorite Mechanic Charged With Theft, Fraud 
