Courts Continue to Limit Coverage for Data Breach Claims under CGL Policies
This past week, a Florida federal court dealt another blow to policyholders seeking coverage for data breach claims under traditional commercial general liability (CGL) policies, finding that coverage was not afforded under a CGL policy for a claim involving a data breach incident that exposed credit card information and resulted in more than $1.4 million in damages. St. Paul Fire & Marine Ins. Co. v. Rosen Millennium, Inc., No. 617CV540ORL41GJK, 2018 WL 4732718 (M.D. Fla. Sept. 28, 2018). Given the increasing frequency and magnitude of data breach incidents, the question of insurance coverage for such claims under CGL policies has become a significant issue over the past several years. Although some courts have found coverage under CGL policies for such claims under certain circumstances, the majority of courts have held that coverage is not afforded for data breach claims under CGL policies.
There are generally two arguments that policyholders have raised in seeking coverage under traditional CGL policies for data breach claims — both of which were raised by the policyholder in the Millennium case. First, policyholders have argued (with limited success) that coverage should be afforded for such claims under Coverage A (Bodily Injury and Property Damage Liability). In making this pitch to courts, policyholders have had to rely on creative arguments, claiming that coverage should be afforded under Coverage A based upon allegations of fear and apprehension of fraud arising from the data breach event, which such policyholders argue results in emotional distress and qualifies as “bodily injury” under the terms of some CGL policies. Additionally, some policyholders have argued that the alleged data breach incident resulted in “property damage” in the form of loss of use of computers, debit or credit cards, or hardware affected by the data breach incident.
Second, policyholders have argued (with somewhat more success) that coverage should be afforded for data breach claims under Coverage B (Personal and Advertising Injury Liability). Generally, policyholders take the position that coverage should be afforded under Coverage B on the theory that the data breach incident resulted in “publication . . . of material that violates a person’s right of privacy”, which qualifies as “personal and advertising injury” under Coverage B. In recent years, policyholders have had mixed results in advancing this theory of coverage for data breach claims under Coverage B. For example, in Zurich Am. Ins. Co. v. Sony Corp. of America et al., Case No. 651982/2011, 2014 WL 8382554 (N.Y. Sup. Ct. Feb. 21, 2014), the Supreme Court of the State of New York held that coverage was not afforded for a massive data breach stemming from the hacking of Sony’s PlayStation online services because Coverage B for “publication of material that violates a person’s right to privacy” only applies if the policyholder, not third-party hackers, committed the alleged acts. On the other hand, in Travelers Indem. Co. of Am. v. Portal Healthcare Sols., L.L.C., 35 F. Supp. 3d 765 (E.D. Va. 2014), aff’d sub nom. Travelers Indem. Co. of Am. v. Portal Healthcare Sols., L.L.C., No. 14-1944, 2016 WL 1399517 (4th Cir. Apr. 11, 2016), the Fourth Circuit held that coverage was afforded under Coverage B for a data breach incident where medical records maintained by the insured were exposed on the internet for four months.
This past week, the U.S. District Court for the Middle District of Florida addressed both of these arguments for coverage for a data breach incident under a traditional CGL policy, and found that coverage was not afforded. St. Paul Fire & Marine Ins. Co. v. Rosen Millennium, Inc., No. 617CV540ORL41GJK, 2018 WL 4732718 (M.D. Fla. Sept. 28, 2018). In the Millennium case, the policyholder, Rosen Millennium, Inc. (Millennium) provided data security services for Rosen Hotels & Resorts (RHR). In 2016, RHR became aware of a credit card breach at one of their hotels and discovered malware installed on the payment network. RHR notified Millennium that it believed that the breach was caused by Millennium’s negligence in providing data security services, and demanded indemnity for about $1.4 million in damages allegedly stemming from the breach. Millennium tendered the claim to its CGL insurer—St. Paul Fire and Marine Insurance Company (St. Paul), and St. Paul issued a reservation of rights letter and subsequently filed suit against Millennium, seeking a declaratory judgment that it did not have a duty to defend Millennium against RHR’s claim.
Millennium asserted two theories that coverage should be afforded under the CGL policies issued by St. Paul: (1) the damages resulting from the data breach incident qualified as “personal injury” (i.e. injury resulting from publication of material that violates a person’s right of privacy) under Coverage B, and (2) the customers’ loss of use of their credit cards was covered as “property damage” under Coverage A.
Addressing Millennium’s first theory of coverage, the court noted that the CGL policies issued by St. Paul to Millennium provided coverage for “personal injury”, defined by the policies to include injury caused by, inter alia, “[m]aking known to any person or organization covered material that violates a person’s right of privacy.” The parties in the Millennium case did not dispute that the credit card information released as a result of the data breach constituted covered material, but rather disagreed as to whether the “making known” or “publication” requirement had been met. Citing the Sony case, the court held that CGL policies require covered personal injuries to “result[ ] from [the insured’s] business activities”, not the actions of third-parties. Because RHR’s injuries did not result from Millennium’s business activities, but rather from the actions of third parties, the Millennium court held that coverage was not afforded under Coverage B.
Next, the court addressed Millennium’s claim that it was entitled to coverage under Coverage A because the data breach incident resulted in “property damage” (i.e. loss of use of the compromised credit cards). The court noted that because suit had not been filed relating to the data breach incident, the court had to look the notice of claim and demand letter in order to evaluate coverage. Although these documents indicated that Millennium “made private information known to third parties that violated a credit card holder’s right of privacy,” the court held that there was no mention of property damage (i.e. loss of use of credit cards). Accordingly, the court declined to find coverage under Coverage A.
Although cyber-security policies are becoming more common, insurers will certainly continue to face claims for coverage for data breach claims under traditional CGL policies given the increasing frequency and magnitude of data breach incidents. To that end, the Millennium case should provide additional support to insurers faced with such claims.