Recent Florida Federal Court Decision Reaffirms “Publication” Requirement for CGL Coverage for Data Breaches
As an update to our New York Law Journal Article from March 5, 2018, a recent decision from the U.S. District Court, Middle District of Florida, reaffirms the rule (followed by several other courts), that there is no coverage for a data breach under the standard Commercial General Liability Policy unless the insured is responsible for the act of “publication.” In St. Paul Fire & Marine Ins. Co. v. Rosen Millennium, Inc., 17-cv-540-Orl-41GJK (M.D. Fla. Sep. 28, 2018), the insured, Rosen Millennium, Inc. (“Millennium”) sought coverage under two consecutive Commercial General Liability (CGL) policies issued by St. Paul for claims arising out of a data breach. Millennium provided data security services for a parent company, Rosen Hotels & Resorts, Inc. (“RHR”). In February 2016, RHR became aware of a potential credit card breach at one of their hotels, and it was discovered that malware had been installed on RHR’s payment network.
RHR subsequently notified Millennium that it believed that the data breach was caused by Millennium’s negligence and inquired as to whether Millennium had insurance to cover RHR’s losses. Millennium then notified St. Paul of this claim, who filed a declaratory judgment action seeking a declaration that it had no duty to defend Millennium against RHR’s potential claim.
The St. Paul policies provided coverage for a “personal injury offense” which included “making known to any person or organization covered material that violates a person’s right of privacy.” Although it was not disputed that the credit card information was “covered material,” the parties disputed whether the data breach satisfied the “making known” requirement. The Court noted that the term “making known” was synonymous with “publication.”
Relying heavily on another Middle District of Florida decision, Innovak International, Inc. v. Hanover Ins. Co., 280 F. Supp. 3d 1340 (M.D. Fla. 2017), the Court held that the “making known” requirement was not satisfied because there was no publication of personal information by Millennium. Rather, as in Innovak, the “publication” was perpetrated by hackers. The Court also
distinguished other cases where Courts held that there was coverage for a data breach under a CGL policy as involving situations where the insured caused the publication, not a third-party computer hacker. The Court granted St. Paul summary judgment declaring that it had no duty to defend Millennium under the personal injury provisions of the CGL policies.
This decision is consistent with prior decisions in which Courts have found that there must be “publication” by the insured, and not a third party, in order to trigger coverage under a CGL policy.