Article Detail

News & Knowledge

Don’t Expect Commercial General Liability Insurance Policies to Protect Against Cyber Breach or Crime

October 09, 2018

By: Brian Lawrence and Drew Sorrell

Almost a year after Middle District Judge Mary Scriven’s instructive decision in Innovak Int’l, Inc. v. Hanover Ins. Co. in which she declined to hold that a traditional commercial general liability (CGL) policy, as drafted, covered a cyber event, Middle District Judge Carlos Mendoza, has ruled in agreement with Innovak in his opinion issued in St. Paul Fire & Marine Ins. Co. v. Rosen Millennium, Inc. and Rosen Hotels & Resorts, Inc. The two holdings taken together demonstrate that by virtue of the way that most traditional CGL policies are drafted, such policies often will not protect your business from cyber-events. Businesses of all sizes which handle sensitive personal data should take note of this, especially in a cyber landscape where data breaches continue to occur with increasing frequency each year. Regardless of whether your business outsources its data security to a third party or handles it internally, it is time to start seriously evaluating whether your business should obtain cyber liability or crime insurance, or a combination of both, to insure you against cyber risks.

In the St. Paul decision, Judge Mendoza held that St. Paul Fire and Marine Insurance Company (St. Paul), did not have a duty to defend or indemnify its insured, Rosen Millennium, Inc. (Millennium) against a claim by Rosen Hotel & Resorts, Inc. (RHR) stemming from a data breach under the language of Millennium’s CGL policies with St. Paul – specifically the personal injury portions of the policies. By way of background, Millennium is a provider of data security services and provided such services for RHR, which became aware of a credit card breach at one of its hotels in the form of malware installed on the payment network. On December 29, 2016, Millennium filed a notice of claim with St. Paul and, in turn, St. Paul issued a statutory reservation of rights letter to Millennium stating that there was no coverage.  St. Paul then sued Millennium seeking the court’s declaration that there was no coverage for the claim.

Millennium argued under its policy with St. Paul, that it was entitled to coverage under the personal injury provisions of its CGL policies. Nonetheless, Judge Mendoza of the Middle District of Florida found this argument to be unpersuasive, and entered a declaratory judgment that St. Paul had no duty to defend Millennium against any claim brought by RHR under the personal injury provision of the CGL policies. Specifically, as Judge Scriven did almost a year ago in Innovak, Judge Mendoza analyzed the plain language of the CGL policies, and determined that St. Paul was not required to cover personal injury unless such resulted from Millennium’s own business activities and that a third party’s action (i.e., the actions of the malware hacker(s) were not Millennium’s own actions). Critically, Judge Mendoza made a distinction between data breaches resulting from negligence of an insured, and data breaches perpetrated by a third party.  Other arguments were dismissed as being made too soon.

There are two key takeaways from this decision: First, standard CGL policies are not drafted, designed, nor truly intended to cover “generic” cyber breaches.  The traditional CGL form was written and adopted before “cyber breach” was even a known liability event.  Second, depending on the facts and the lawyering, there may, at times, be some coverage under a CGL for some cyber events; however, this should be considered as a last hope option.  Rather, it is better to undertake a careful review of, among other things, your data’s nature and content, how it is used, how it is stored, and means of access.  Against that review, you should consider whether you need both a cyber policy and also a crime policy.  This is so because just like with a CGL, cyber and crime policies provide different coverages for different events both of which at times may be characterized—again generically speaking—as “cyber’ish”.  It may be the case that you need all three, a CGL, a cyber and a crime policy, for full coverage.  Finally, consider the nature and extent of coverage that your third-party vendors may or may not have, as well as their contractual liability (which at times may be none) to you.

While we do not offer insurance, we do handle the aftermath and can also provide insight into such policies before you obtain them.

If you have any questions please contact a member of our Privacy, Cybersecurity & E-Discovery Group.


Brian Lawrence concentrates his practice on complex litigation arising from commercial transactions, partnership disputes, trust and probate disputes and intellectual property matters.

Brian regularly advises national and local clients on matters pertaining to restrictive covenants, trademarks, copyrights and trade secrets. He has successfully defended and prosecuted lawsuits on behalf of national and local corporations and limited liability companies, sports teams, athletes and other public figures.

A member of the firm's Cybersecurity, Privacy & eDiscovery Group, Brian has significant experience evaluating complex security incidents and advising clients of their obligations under federal and state data security and privacy regulations. He has handled cybersecurity incident responses and data privacy matters impacting all 50 states and internationally.

Brian is as committed to serving the Central Florida community as he is to his practice. He is actively involved in Big Brothers Big Sisters of Central Florida, as both a big brother and a member of the executive board. He also serves as a guardian ad litem and provides pro bono services to professional guardianship organizations in Central Florida. Additionally, Brian is on the board of the Young Lawyers Section of the Orange County Bar Association, which supports local charitable endeavors and serves underprivileged youth.


Drew Sorrell's practice focuses on complex commercial issues, relating to both litigation and contract/policy drafting.

Drew has years of experience litigating business matters, intellectual property/patent infringement disputes, data breach/privacy issues, wire fraud (spoofing/spear phishing), business torts/disputes, insurance coverage, personal injury and employment litigation. Likewise, he has significant experience drafting and negotiating software licenses (SaaS), Internet service provider agreements, data privacy/breach policies and procedures, employment/services agreements as well as the indemnity and insurance coverage related to those agreements.

Initially, Drew began his legal career as a judicial clerk to Senior United States District Judge John H. Moore II, in Jacksonville, Florida, and then practiced with an AmLaw top 10 firm in Manhattan primarily in their litigation department. After spending some time as an assistant county attorney responsible for litigation, he joined Lowndes and is currently chair of the firm’s multi-discipline Cybersecurity, Privacy & eDiscovery Group.

A founding member of the Sedona Conference Group 11 (Privacy/Data Security), Drew is frequently asked to speak and write on legal and ethical issues arising from technology, including unfair and deceptive trade practices, data breach, privacy, data governance, and technology contract drafting. He is also currently serving as chair of the Orange County Bar Association Intellectual Property Committee.

Drew has argued to the United States Court of Appeal for the Eleventh Circuit, at the federal level, and the Fifth District Court of Appeal at the state level. He is admitted to The United States Supreme Court Bar, as well as the Florida, New York and District of Columbia Bars. He is admitted to practice before all federal district courts in Florida as well as the Southern District of New York.

Born in Florida, Drew roots for his adopted football team—the FSU Seminoles (because neither Rollins nor George Washington has a football team). He is a proud father of two sons who play basketball and soccer, make great grades and generally keep him very busy in his spare time.

Meritas Law Firms Worldwide logo
Do Your Part Logo