October 10, 2018
Almost a year after Middle District Judge Mary Scriven’s instructive decision in Innovak Int’l, Inc. v. Hanover Ins. Co. in which she declined to hold that a traditional commercial general liability (CGL) policy, as drafted, covered a cyber event, Middle District Judge Carlos Mendoza, has ruled in agreement with Innovak in his opinion issued in St. Paul Fire & Marine Ins. Co. v. Rosen Millennium, Inc. and Rosen Hotels & Resorts, Inc. The two holdings taken together demonstrate that by virtue of the way that most traditional CGL policies are drafted, such policies often will not protect your business from cyber-events. Businesses of all sizes which handle sensitive personal data should take note of this, especially in a cyber landscape where data breaches continue to occur with increasing frequency each year. Regardless of whether your business outsources its data security to a third party or handles it internally, it is time to start seriously evaluating whether your business should obtain cyber liability or crime insurance, or a combination of both, to insure you against cyber risks.
In the St. Paul decision, Judge Mendoza held that St. Paul Fire and Marine Insurance Company (St. Paul), did not have a duty to defend or indemnify its insured, Rosen Millennium, Inc. (Millennium) against a claim by Rosen Hotel & Resorts, Inc. (RHR) stemming from a data breach under the language of Millennium’s CGL policies with St. Paul – specifically the personal injury portions of the policies. By way of background, Millennium is a provider of data security services and provided such services for RHR, which became aware of a credit card breach at one of its hotels in the form of malware installed on the payment network. On December 29, 2016, Millennium filed a notice of claim with St. Paul and, in turn, St. Paul issued a statutory reservation of rights letter to Millennium stating that there was no coverage. St. Paul then sued Millennium seeking the court’s declaration that there was no coverage for the claim.
Millennium argued under its policy with St. Paul, that it was entitled to coverage under the personal injury provisions of its CGL policies. Nonetheless, Judge Mendoza of the Middle District of Florida found this argument to be unpersuasive, and entered a declaratory judgment that St. Paul had no duty to defend Millennium against any claim brought by RHR under the personal injury provision of the CGL policies. Specifically, as Judge Scriven did almost a year ago in Innovak, Judge Mendoza analyzed the plain language of the CGL policies, and determined that St. Paul was not required to cover personal injury unless such resulted from Millennium’s own business activities and that a third party’s action (i.e., the actions of the malware hacker(s) were not Millennium’s own actions). Critically, Judge Mendoza made a distinction between data breaches resulting from negligence of an insured, and data breaches perpetrated by a third party. Other arguments were dismissed as being made too soon.
There are two key takeaways from this decision: First, standard CGL policies are not drafted, designed, nor truly intended to cover “generic” cyber breaches. The traditional CGL form was written and adopted before “cyber breach” was even a known liability event. Second, depending on the facts and the lawyering, there may, at times, be some coverage under a CGL for some cyber events; however, this should be considered as a last hope option. Rather, it is better to undertake a careful review of, among other things, your data’s nature and content, how it is used, how it is stored, and means of access. Against that review, you should consider whether you need both a cyber policy and also a crime policy. This is so because just like with a CGL, cyber and crime policies provide different coverages for different events both of which at times may be characterized—again generically speaking—as “cyber’ish”. It may be the case that you need all three, a CGL, a cyber and a crime policy, for full coverage. Finally, consider the nature and extent of coverage that your third-party vendors may or may not have, as well as their contractual liability (which at times may be none) to you.
While we do not offer insurance, we do handle the aftermath and can also provide insight into such policies before you obtain them.
If you have any questions please contact a member of our Privacy, Cybersecurity & E-Discovery Group.