Florida Court Holds No Duty To Defend Data Breach Claim Under CGL Policy

By Brian Bassett

In St. Paul Fire & Marine Ins. Co. v. Rosen Millennium, 2018 U.S. Dist. LEXIS 173072 (Sept. 28, 2018), the U.S. District Court for the Middle District of Florida held that an insurer owed no duty to defend an insured under a CGL policy where the insured was accused of failing to prevent hackers from accessing credit card information held by the claimant.

St. Paul Fire & Marine Insurance Company (“St. Paul”) issued two consecutive commercial general liability policies to Rosen Millennium (“Millennium”) during 2014 and 2015. Millennium provided data security services for Rosen Hotels & Resorts (“RHR”). In 2016, RHR learned that third party malware caused a credit card breach in one of its hotels between September 2014 and February 2016. RHR alleged Millennium’s negligence caused the breach but has not initiated litigation against Millennium.

Millennium sought coverage for the claim from St. Paul, and St. Paul initiated a declaratory judgment action against Millennium and RHR seeking a finding of no coverage.  The defendants argued that the personal injury coverage of the policy was implicated as a result of the alleged disclosure of credit card information. They also contended that the loss of customers’ use of credit cards was covered “property damage,” and the costs incurred by RHR in complying with notification statutes were covered under the policies.

The court first considered the nature of the underlying claim. Because no underlying litigation existed, the court focused on RHR’s notice of claim and demand letter to Millennium. The only relevant allegation in that letter is that a breach occurred within certain dates and that Millennium “made private information known to third parties that violated a credit card holder’s right of privacy.” RHR’s letter failed to mention property damage or costs incurred from complying with the notification statute. Accordingly, the court held that the issue of whether the policies covered any potential “property damage” and any notification costs is unripe.

The court then examined the issue of whether the third party breach was covered by the St. Paul policies. The definition of “personal injury” in the policies included “[m]aking known to any person or organization covered material that violates a person’s right to privacy.” The parties agreed that credit card information was released upon breach, and they agreed that “making known” material was synonymous with “publication” of material. Citing Innovak International, Inc. v. Hanover Ins. Co., 280 F. Supp. 3d. 1340 (M.D. Fla. 2017), the court held that policy coverage required the insured, rather than a third party, to publish the personal information that is the subject of the claim.  As the breach resulted from third party malware, and not from Millennium’s publication of personal information, RHR’s claim was not covered by the St. Paul policies. The court granted St. Paul’s motion for summary judgment and denied defendants’ motions as moot.