On February 13, 2015, the U.S. District Court for the Northern District of California dismissed with prejudice St. Paul Fire and Marine Insurance Company’s declaratory judgment lawsuit against Vendini, Inc., noting that the parties had agreed to a confidential settlement on the same day.  In the declaratory judgment action, St. Paul had disclaimed coverage under Vendini’s insurance policy in connection with a $3 million class action lawsuit brought against Vendini stemming from a March 2013 data breach.

Pursuant to St. Paul’s amended complaint, from September 2012 through September 2013, St. Paul issued a commercial insurance policy to Vendini, an online box office company specializing in event ticket sales nationwide, which was subject to the following limits:  $1 million each event; $1 million personal injury each person; $1 million advertising injury each person; and a general total limit of $2 million. The policy also provided Vendini with umbrella excess coverage with a $5 million general total limit.

In May 2013, Vendini notified its customers of a data breach after a hacker accessed its databases and also may have accessed customers’ personal information, including the customers’ names, mailing addresses, email addresses, phone numbers, and credit card numbers and expiration dates.  According to St. Paul’s amended complaint, Vendini notified its customers that a “third-party criminal actor used hacking technologies to access [its] databases.”  Vendini notified St. Paul of the claims and requested the insurer to defend and indemnify it against the claims prior to and following a class action lawsuit in California state court brought by two Vendini customers affected by the data breach.  St. Paul filed a declaratory judgment action seeking a declaration that it had no duty to defend or indemnify Vendini in the class action suit, which accused Vendini of not properly safeguarding customers’ personal information and failing to adequately encrypt the data or use adequate data security measures, which contributed to the company’s inability to detect the breach until a month later.

In October 2014, a California state judge approved the $3 million settlement between Vendini and customers whose information was subject to the March 2013 data breach.  The federal judge dismissed St. Paul’s suit against Vendini, subject to the consummation of the conditional settlement, the details of which were not disclosed to the court.  The order of dismissal is available here.