Illinois National Insurance Company, an AIG Commercial Insurance company, (“AIG”) told a Pennsylvania federal court in a brief opposing summary judgment that it has no duty to defend Hub Parking Technology USA Inc. (“Hub”), a Pittsburgh-area parking technology company, in a third-party complaint alleging a privacy breach that exposed customers’ credit card numbers at Cleveland Hopkins International Airport.

The litigation stems from a putative class action lawsuit against a parking facility, SP Plus, in Cook County, Illinois. The suit alleges a privacy breach resulting from the printing of parking receipts at a SP Plus parking facility that showed eight digits of customers’ credit card numbers in violation of state and federal law. Hub allegedly controlled the computers and equipment that received the credit card information and generated the receipts. SP Plus also sued Hub in a separate third-party action.

Hub filed a claim under its security and privacy insurance with AIG, which is alleged to provide coverage for security breaches and disclosure of personal data in violation of privacy laws. Hub asserted that the SP Plus lawsuit was the result of a failure to protect customers’ private information because of a failure of its computer system. AIG denied coverage, contending that the underlying complaint failed to allege a security breach or loss of privacy by Hub since Hub lacked “care, custody or control” over the credit card data allegedly failed to maintain the hardware and software of the machines that printed the parking receipts.

Hub sued AIG in Pennsylvania federal court, contending that the insurer breached its contract and “contorted” policy language in an attempt to avoid its duty to defend and indemnify Hub in the third-party lawsuit. AIG maintains that the claim is not a security failure, cyberattack, or hack. The incident is not the result of an unauthorized access or attack on Hub’s data or hardware and does not involve “confidential information” as defined by the policy; rather the litigation is the result of “a contract dispute between vendor and client” and not covered by the policy.[1]

The lawsuit is an illustration of how an insurer may take an overly narrow view of policy language to deny coverage for a cyber-related loss. It underscores the need for policyholders to review their insurance policies and understand how certain terms – such as “security failure” or “confidential information” – are defined to make sure there is coverage in place that adequately addresses their business needs. Hunton Andrews Kurth’s Insurance Recovery Group will continue to monitor and report on this case.