Rosen Hotels and Resorts, Inc. (“Rosen”) operates a number of hotel properties in the Orlando area. Rosen’s subsidiary company, Rosen Millennium, Inc. (“Millennium”) provides IT support to Rosen, including data security.
In early 2016, Rosen learned of a possible data breach involving customer credit card data. A forensic investigation located malware on the company’s payment network, which indicated a third-party had hacked into the system and determined that customer credit cards used between September 2014 and February 2016 may have been compromised. In March 2016, Rosen notified potentially impacted customers of the data breach.
Duty to Defend
Rosen ultimately claimed that Millennium’s negligence caused the data breach. It did not file suit against Millennium. Millennium submitted a Notice of Claim to Travelers unit of St. Paul Insurance (“Travelers”), who provided commercial general liability coverage to Millennium during the relevant time period. Travelers responded by issuing a reservation of rights indicating there was no coverage for these claims and ultimately initiated a declaratory judgment action in the Middle District of Florida contending it had no duty to defend Millennium’s claims. In the meantime, Rosen made a demand on Travelers arguing it was entitled to payment from Millennium for damages incurred by the data breach.
Travelers declaratory judgment action was directed at the duty to defend question. Millennium’s Notice of Claim was couched in terms of a claim for coverage for personal injury. The Travelers’ policy provided that a covered personal injury offense included “making known to any person or organization covered material that violates a person’s right of privacy.”
There was no dispute that the credit card information was released through the data breach, or that such information would violate privacy rights. The dispute centered on what constituted “making known” such information. While both Travelers and Millennium agreed “making known” was synonymous with “publication,” the parties differed on what this particularly meant.
No Coverage for Third Party Data Breach
Travelers argued the policy did not cover third-party data breaches. In other words, that where the private information was obtained and disclosed by a third-party, the policy was not triggered as there was nothing “made known” by the insured. Since any damages caused by the data breach were the result of acts of a third-party hacker and not Millennium, coverage under the policy was not implicated and, therefore, it had no duty do defend any claims against Millennium.
District Judge Mendoza agreed, granting summary judgment to Travelers. The court did not find any acts of Millennium amounting to “making known” any of the compromised information. Citing a case interpreting South Carolina law on similar facts, Judge Mendoza found “the only plausible interpretation of [the insurance policy] is that it requires the insured to be the publisher of the [private information]” and that CGL policies generally require injuries to be the result of an insured’s actions, not the actions of an unrelated third-party.
Thus, under the Rosen decision, how an insured characterizes a claim under a commercial general liability policy relating to a data breach will have an impact on potential coverage for such claims. Where it is clear the data release was not caused by the insured, but by a third-party, Rosen seems to indicate there would be no coverage for such claims. However, where an insured is involved in the dissemination of data, coverage might exist.
As a postscript, interestingly the Rosen decision did not involve “property damage” caused by the insured. While Rosen might have suffered damages by having to investigate the breach and comply with notice requirements, etc. and claimed Millennium was responsible for those damages, there was no lawsuit against Millennium or anything else tangible the court could analyze to determine if there was any duty to defend property damage claims. So, even after Rosen, commercial general liability coverage for data breach claims might still exist when such claims are couched in terms of property damage.
If you have any questions or concerns about data breach or data security, please feel free to contact me at firstname.lastname@example.org or by phone at 239-344-1153.