The United States District Court for the Middle District of Florida addressed the question of whether a data breach that is caused by a hackers intrusion into a company's payment system falls within the scope of coverage of a standard commercial general liability policy. The case is St. Paul Fire & Marine Ins. Co. v. Rosen Millennium, Inc., No. 6:17-cv-540-Orl-41GJK, 2018 U.S. Dist. Lexis 173072 (M.D. Fla. Sep. 28, 2018).

Rosen Millennium, Inc. (RMI), the insured, provided data security services to its parent company Rosen Hotels & Resorts. In 2016 RHR found malware installed on one of its hotels payment networks, a potential credit card breach. Customers' credit cards that had been used between September 2014 and February 2016 were potentially compromised. RHR disclosed the suspected data breach to potentially affected customers, and sent a demand letter to RMI, alleging that RHR was entitled to over $1.4 million in compensation for expenses arising from the breach, including forensic investigation, crisis management, attorney fees, notification to credit card holders, and fees from credit card companies for costs associated with card replacement and fraudulent charges. RMI submitted a claim under Coverage B of its CGL policy with its insurer, St. Paul Fire & Marine Insurance Co. (St. Paul). The section of the CGL policy provided coverage for injury “caused by a personal injury offense,” including “making known to any person or organization covered material that violates a person's right of privacy.”

St. Paul argued that Coverage B only provides coverage for a publication resulting from an act of the insured, not from the acts of third parties, so there was no coverage because the actions of third-party hackers led to the losses, not the actions of RMI. The district court agreed and granted summary judgment to St. Paul, so they will not have to defend or for the “personal injury” from the credit card breach. The court relied on prior cases with similar decisions, and distinguished other cases where coverage for data breaches was found because the breach occurred due to inadvertent exposure of sensitive information through careless acts of the insured, instead of by a third-party hacker.

Editor's Note: This case is on appeal before the Eleventh Circuit. St. Paul argued that there was no “claim” under the terms of the policy, and that RMI was attempting to manufacture coverage under a third-party liability policy for what was really a first-party loss to RHR. When crafting a notice for a claim, an insurer should choose wording carefully in case the content of the notice becomes a part of legal processes.