Courts Continue to Limit Coverage for Data Breach Claims under CGL Policies
This past week, a Florida federal court dealt another blow to policyholders seeking coverage for data breach claims under traditional commercial general liability (CGL) policies, finding that coverage was not afforded under a CGL policy for a claim involving a data breach incident that exposed credit card information and resulted in more than $1.4 million in damages. St. Paul Fire & Marine Ins. Co. v. Rosen Millennium, Inc., No. 617CV540ORL41GJK, 2018 WL 4732718 (M.D. Fla. Sept. 28, 2018). Given the increasing frequency and magnitude of data breach incidents, the question of insurance coverage for such claims under CGL policies has become a significant issue over the past several years. Although some courts have found coverage under CGL policies for such claims under certain circumstances, the majority of courts have held that coverage is not afforded for data breach claims under CGL policies.
There are generally two arguments that policyholders have raised in seeking coverage under traditional CGL policies for data breach claims aEUR" both of which were raised by the policyholder in the Millennium case. First, policyholders have argued (with limited success) that coverage should be afforded for such claims under Coverage A (Bodily Injury and Property Damage Liability). In making this pitch to courts, policyholders have had to rely on creative arguments, claiming that coverage should be afforded under Coverage A based upon allegations of fear and apprehension of fraud arising from the data breach event, which such policyholders argue results in emotional distress and qualifies as aEURoebodily injuryaEUR? under the terms of some CGL policies. Additionally, some policyholders have argued that the alleged data breach incident resulted in aEURoeproperty damageaEUR? in the form of loss of use of computers, debit or credit cards, or hardware affected by the data breach incident.
Second, policyholders have argued (with somewhat more success) that coverage should be afforded for data breach claims under Coverage B (Personal and Advertising Injury Liability). Generally, policyholders take the position that coverage should be afforded under Coverage B on the theory that the data breach incident resulted in aEURoepublication . . . of material that violates a personaEUR(TM)s right of privacyaEUR?, which qualifies as aEURoepersonal and advertising injuryaEUR? under Coverage B. In recent years, policyholders have had mixed results in advancing this theory of coverage for data breach claims under Coverage B. For example, in Zurich Am. Ins. Co. v. Sony Corp. of America et al., Case No. 651982/2011, 2014 WL 8382554 (N.Y. Sup. Ct. Feb. 21, 2014), the Supreme Court of the State of New York held that coverage was not afforded for a massive data breach stemming from the hacking of SonyaEUR(TM)s PlayStation online services because Coverage B for aEURoepublication of material that violates a personaEUR(TM)s right to privacyaEUR? only applies if the policyholder, not third-party hackers, committed the alleged acts. On the other hand, in Travelers Indem. Co. of Am. v. Portal Healthcare Sols., L.L.C., 35 F. Supp. 3d 765 (E.D. Va. 2014), affaEUR(TM)d sub nom. Travelers Indem. Co. of Am. v. Portal Healthcare Sols., L.L.C., No. 14-1944, 2016 WL 1399517 (4th Cir. Apr. 11, 2016), the Fourth Circuit held that coverage was afforded under Coverage B for a data breach incident where medical records maintained by the insured were exposed on the internet for four months.
This past week, the U.S. District Court for the Middle District of Florida addressed both of these arguments for coverage for a data breach incident under a traditional CGL policy, and found that coverage was not afforded. St. Paul Fire & Marine Ins. Co. v. Rosen Millennium, Inc., No. 617CV540ORL41GJK, 2018 WL 4732718 (M.D. Fla. Sept. 28, 2018). In the Millennium case, the policyholder, Rosen Millennium, Inc. (Millennium) provided data security services for Rosen Hotels & Resorts (RHR). In 2016, RHR became aware of a credit card breach at one of their hotels and discovered malware installed on the payment network. RHR notified Millennium that it believed that the breach was caused by MillenniumaEUR(TM)s negligence in providing data security services, and demanded indemnity for about $1.4 million in damages allegedly stemming from the breach. Millennium tendered the claim to its CGL insureraEUR"St. Paul Fire and Marine Insurance Company (St. Paul), and St. Paul issued a reservation of rights letter and subsequently filed suit against Millennium, seeking a declaratory judgment that it did not have a duty to defend Millennium against RHRaEUR(TM)s claim.
Millennium asserted two theories that coverage should be afforded under the CGL policies issued by St. Paul: (1) the damages resulting from the data breach incident qualified as aEURoepersonal injuryaEUR? (i.e. injury resulting from publication of material that violates a personaEUR(TM)s right of privacy) under Coverage B, and (2) the customersaEUR(TM) loss of use of their credit cards was covered as aEURoeproperty damageaEUR? under Coverage A.
Addressing MillenniumaEUR(TM)s first theory of coverage, the court noted that the CGL policies issued by St. Paul to Millennium provided coverage for aEURoepersonal injuryaEUR?, defined by the policies to include injury caused by, inter alia, aEURoe[m]aking known to any person or organization covered material that violates a personaEUR(TM)s right of privacy.aEUR? The parties in the Millennium case did not dispute that the credit card information released as a result of the data breach constituted covered material, but rather disagreed as to whether the aEURoemaking knownaEUR? or aEURoepublicationaEUR? requirement had been met. Citing the Sony case, the court held that CGL policies require covered personal injuries to aEURoeresult[ ] from [the insuredaEUR(TM)s] business activitiesaEUR?, not the actions of third-parties. Because RHRaEUR(TM)s injuries did not result from MillenniumaEUR(TM)s business activities, but rather from the actions of third parties, the Millennium court held that coverage was not afforded under Coverage B.