A federal district court in Florida has ruled that a claim against a policyholder arising out of a hacker’s theft of confidential credit card information was not covered under a commercial general liability (CGL) policy.  St. Paul Fire & Marine Ins. Co. v. Rosen Millennium, Inc., M.D. Fla. Case No. 17-cv-540 (Sept. 28, 2018).  This is not the first such decision.  Courts have held similarly in Innovak Int’l, Inc. v. Hanover Ins. Co., 280 F.Supp.3d 1340, 1347-1348 (M.D. Fla. 2017) and Zurich American Ins. Co. v. Sony Corp. of America,  2014 WL 3253541, 2014 N.Y. Misc. LEXIS 5141 at *71 (N.Y. Sup. Ct. Feb. 21, 2014).

While we disagree with these courts’ reasoning, policyholders concerned about data breach liability should take note of these decisions and consider buying more reliable insurance protection for this risk.

In Rosen Millennium, a client of data security firm Millennium discovered that a hacker had stolen confidential credit card information from its computer system.  The client responded to the breach and asserted a claim against Millennium for the fees and expenses it incurred, as well as other losses.  The client contended, in a pre-litigation demand letter, that Millennium had been negligent in protecting the information on its computer system and, as a result, “made private information known to third parties that violated a credit card holder’s right of privacy.”

Millennium sought a defense against the claim from its CGL insurer, St. Paul.  The St. Paul CGL policy covered suits alleging “personal injury,” defined as an “injury, other than bodily injury or advertising injury, that’s caused by a personal injury offense.”  A “personal injury offense” included “[m]aking known to any person or organization covered material that violates a person’s right of privacy.”

Even though the client’s demand letter alleged that Millennium “made private information known to third parties”—fitting squarely within the policy’s coverage grant—the court found that St. Paul did not have a duty to defend.  The court first noted that the parties agreed that “making known” had the same meaning as “publication.”  It then relied on Innovak and Sony, which interpreted the word “publication” in CGL policies and found no coverage for hacking-related claims because the policyholder must be the one doing the “publishing.”  The Rosen Millennium court then held that because the stolen credit card information was “made known” by a hacker, not an affirmative act of Millennium, there was no coverage.

This series of cases—Sony, Innovak and now Rosen Millennium—is disturbing.  Nothing in the CGL policies involved in those cases stated that the policyholder must be the one that “publishes” or “makes known” the private information.  Sony and Innovak even held that “publication, in any manner” does not mean the policyholder’s negligence in allowing a third party to access private or confidential information.  They reasoned that “any manner” meant the method by which the publication was made (e.g., email, fax etc.) and did not refer to the party that made the publication.

The Rosen Millennium court made a similarly dubious assertion that shines a bright spotlight on the logical error in these courts’ rationale.  It attempted to support its conclusion that the policyholder must affirmatively make the confidential or private information known by stating that the St. Paul CGL policy required covered personal injuries to “result[] from [the insured’s] business activities” and concluded that the client’s “alleged injuries did not result from Millennium’s business activities but rather the actions of third parties.”

It is hard to see how Millennium could be liable for having negligently secured the client’s computer system—the negligent act that resulted in the “mak[ing] known of private information—without engaging in business activities.  That was precisely the job it was hired to do—securing the client’s computer system so that the private information on it was not “made known” to third parties.

At bottom, these decisions are based on the flawed assumption that the policyholders had no role in the data breaches.  The hackers got the information themselves.  But a finding of negligence liability against the policyholder would prove the opposite.  Failing to do a job correctly that results in the making known of private information is no different than actually giving the information to a third party.  It should be irrelevant exactly how the policyholder’s role in the publication is characterized.  If it is possible that the policyholder will be liable for the publication, there is a duty to defend because the CGL policy expressly states it is covering damages “because of” that publication.

Several courts have reached this result.  See Travelers Indem. Co. of Am. v. Portal Healthcare Sols., LLC, 35 F. Supp. 3d 765, 768 (E.D. Va. 2014), aff’d, 644 F. App’x 245 (4th Cir. 2016) and Hartford Casualty Insurance Company v. Corcino & Associates, et al, No. CV 13-3728 GAF JCX, 2013 WL 5687527, at *1 (C.D. Cal. Oct. 7, 2013). In Portal, the policyholder failed to  properly secure information on its system that allowed third parties to find it through simple Google searches on the internet.  In Corcino, the policyholder gave private health information to a job applicant, who posted it on the internet.  Both courts found that, while the policyholders did not actually choose make the information public, they were liable for it having been made public and thus should have coverage under their CGL policies covering liability for the wrongful publication of private material.  The Rosen Millennium court’s attempt to distinguish these cases on the ground that the breaches were not perpetrated by hackers rings hollow.

Regardless of how we might view these decisions, their existence creates a risk that policyholders will not have the coverage they reasonably expect under CGL policies for data breach events.  This coverage is available under a variety of policies, including those providing cyber insurance and technology errors and omissions liability coverage.  Policyholders should consider their data breach risks and whether they might be best protected by cyber insurance.  As I’ve written previously, there is great variation in the scope of coverage offered by such policies and it is negotiable.  Consult a broker and/or attorney with experience in this area when you are buying it.