As many readers of this blog already know, our insurance coverage practice monitors courts around the nation for court decisions that might interest our readers. Decisions involving insurance coverage for data breach incidents continue to be of interest, especially where policyholders seek coverage under the “personal and advertising injury” provisions in standard commercial general liability insurance policies.
Late last week, the U.S. District Court for the Middle District of Florida issued another opinion consistent with the nationwide trend that such policies do not provide coverage for insureds who are the victims of, or allegedly cause, data breaches, absent evidence that the insured itself published the sensitive data.
In St. Paul Fire & Marine Ins. Co. v. Rosen Millennium, Inc., Middle District of Florida Case No. 17-CV-540 (J. Mendoza) (Sept. 28, 2018), St. Paul sought a court declaration that its personal and advertising injury coverage form did not provide coverage, defense or indemnity, for a data breach incident allegedly caused by Rosen Millennium, a data security provider. The breach incident caused the credit card information of Rosen Millennium’s customer to be exposed by hackers.
St. Paul’s coverage form provides coverage for various specified offenses, including “making known to any person or organization covered material that violates a person’s right of privacy.” Rosen Millennium argued that it had received a demand letter alleging that it was negligent, resulting in the exposure of cardholder’s personal information, violating their right of privacy, and seeking damages. These allegations, it argued, qualified for coverage.
The court took care to review existing precedent and found no potential coverage. While no prior decision used the “making known” language found in St. Paul’s policy, the court found that that phrase was synonymous with the term “publication.” Because there was no evidence that Rosen Millennium itself published the sensitive information, there was no potential coverage.
There were a few other interesting aspects of the court’s decision. First, the policy language requires publication of “covered material” before coverage applies, but does not more specifically describe what type of material might be “covered.” This was not an issue addressed in any length in the court’s opinion, however, because the parties conceded that the credit card information qualified.
In addition, Rosen Millennium argued that coverage was provided because the customers’ loss of the use of their credit cards constituted covered property damage. The court found this issue was not included in the demand letter received by Rosen Millennium and that the issue was not ripe for resolution.
You may find a copy of Judge Mendoza’s order here. If you are interested in discussing insurance coverage for data breach incidents, or any other insurance coverage issue, you may contact the author at tsmith@gklaw.com.