(Article from Insurance Law Alert, October 2018)
For more information, please visit the Insurance Law Alert Resource Center.
A Florida federal district court ruled that a general liability insurer has no duty to defend data breach claims, finding that coverage for breach of privacy allegations applied only where the publication of personal information was done by the policyholder itself, and did not extend to acts undertaken by third-party hackers. St. Paul Fire & Marine Ins. Co. v. Rosen Millennium, Inc., 2018 WL 4732718 (M.D. Fla. Sept. 28, 2018).
A hotel hired Millennium to provide data security services. When the hotel learned of a potential credit card breach, it informed Millennium that it believed that Millennium’s negligence caused the breach. Millennium submitted a notice of claim to St. Paul, which then sought a declaration that it had no duty to defend any claim made by the hotel against Millennium. The court granted in part St. Paul’s summary judgment motion, finding that the insurer had no duty to defend under the policy’s “personal injury” provision.
The personal injury coverage included “[m]aking known to any person or organization covered material that violates a person’s right of privacy.” The parties did not dispute that the credit card information released in the data breach constituted covered personal information. However, St. Paul’s argued that the “making known” requirement was not met. The court agreed, finding no coverage because the alleged privacy violation did not result from Millennium’s own conduct, but rather from the actions of third-party hackers. The court relied on Innovak Int’l, Inc. v. Hanover Ins. Co., 280 F. Supp.3d 1340 (M.D. Fla. 2017) (discussed in our December 2017 Alert), in which the court held that coverage under a personal injury provision required the insured to be the publisher of the private information. As discussed in our March 2014 Alert, a New York court reached the same conclusion in Zurich American Insurance Co. v. Sony Corp. of America, No. 651982/2011 (N.Y. Sup. Ct. New York City. Feb. 21, 2014), holding that a similar personal injury policy provision did not encompass hacking claims where the publication was committed by hackers rather than the insured itself.