As data breaches become more common, and as the cost of dealing with these breaches climbs higher, policyholders are wise to consider whether they carry adequate insurance coverage. Policyholders are also wise to consider all the potential avenues for recovering their losses from a data breach, including traditional insurance policies that are not specific to cyber liability. 

An unusual case involving a malware attack at a chain of hotels in Orlando, Florida, may offer policyholders some guidance on where the boundaries are. In St. Paul Fire & Marine Insurance Co. v. Rosen Millennium Inc., Case No. 6:17-cv-540-ORL-41- GJK (M.D. Fla.), the U.S. District Court for the Middle District of Florida is poised to decide several interesting questions about an insurer’s duty to defend a policyholder in the event of a data breach and the scope of coverage for data breaches under standard form commercial general liability (CGL) policies. 

The insurer in this case, St. Paul Fire & Marine (St. Paul), is a subsidiary of Travelers Insurance. The policyholder, Rosen Millennium (Millennium), provides cybersecurity and IT support for its sister company, Rosen Hotels & Resorts (the hotel). In 2014, St. Paul sold a standard form CGL policy to Millennium. Under the terms of the policy, St. Paul has a duty to defend Millennium against “personal injury” claims, including allegations of “[m]aking known to any person or organization covered material that violates a person’s right to privacy.” St. Paul also has a duty to defend Millennium against property damage claims, including damages resulting from the loss of use of property. 

In February 2016, the hotel began receiving reports that unauthorized charges were appearing on their guests’ credit card accounts shortly after their stays. The hotel hired a forensic investigator to inspect its systems to see whether it had been compromised. The investigator discovered that malware had been installed in the system on several occasions over the course of approximately 18 months. The malware had captured guests’ credit card numbers and published them to third parties on the dark web. The hotel incurred significant expenses to respond to the breach and notify potentially affected guests. This included $150,000 for the services of the investigator, $50,000 in lawyers’ fees, $14,000 in fees for the services of a crisis management firm and $14,000 to send notices out to guests. 

In a somewhat unusual move, the hotel sought to recover its losses from Millennium, its sister company who was responsible for the hotel’s cyber security. In its demand letter, the hotel wrote “[a]s you are aware, [the Hotel] became aware of a data breach in March of 2016, in which [Millennium] made private information known to third parties that violated a credit card holder’s right of privacy.” According to the letter, the hotel had suffered more than $1.4 million in damages to that point and expected to incur significantly more. This figure included the hotel’s liability for assessments from credit card companies related to the fraudulent charges and the cost of replacing the cards that had been compromised. The hotel added, “[p]lease put your insurance company on notice regarding this claim.”

Following Millennium’s tender of the claim to its insurer, St. Paul, Millennium received a coverage denial and St. Paul sued for a declaratory judgment that the policy does not cover the hotel’s losses. As a preliminary matter, Millennium filed a motion for judgment on the pleadings that, under the policy, St. Paul has a duty to defend it against the hotel’s demands. Under Florida law, an insurer has a duty to defend “when the complaint alleges facts that fairly and potentially bring the suit within policy coverage.” Jones v. Florida Insurance Guar. Ass’n, Inc., 908 So.2d 435, 442–43 (Fla. 2005). Accordingly, the key issue for the district court to decide is whether the hotel’s letter to the policyholder, its sister company, “alleges facts that fairly and potentially bring the suit” within the coverage of Millennium’s policy. The parties have submitted their initial briefs, and the motion is now pending before the district court. The dispute hinges on several issues that policyholders will want to watch closely.

First, is the demand letter the hotel sent to its sister company a “claim” at all? According to Millennium, the answer is straightforward. The policy defines a “claim” as “a demand that seeks damages.” The hotel certainly demanded that Millennium pay the hotel’s damages in its letter. Therefore, according to Millennium, the hotel’s letter is a claim. St. Paul, however, argues that the letter is not a claim that triggers its duty to defend. The core of St. Paul’s argument is that the demand letter lacks the type of factual allegations needed for the letter to even potentially bring the hotel’s demand within the scope of coverage. In particular, the letter makes no allegations about Millennium’s role in the data breach. It simply mentions the data breach and demands payment. Moreover, the hotel did not claim that its own privacy rights had been violated; its demand is based on a violation of the rights of third parties, namely, the hotel’s guests. Policyholders — particularly those who provide cyber security and IT services and those who are members of larger corporate families — should pay particular attention to how the district court resolves this issue.

Second, does Millennium’s personal injury coverage potentially apply to a breach committed by a third party against its client and sister company? This depends heavily on whether the hotel’s letter adequately alleges that Millennium “[made] known to any person or organization covered material that violates a person’s right to privacy.” Millennium argues that the phrase “making known” is synonymous with publishing the information and that the hotel guests’ information was indeed published as a result of the breach. By contrast, St. Paul argues that the hotel’s letter is insufficient to trigger its duty to defend because the hotel does not allege that its own privacy rights were violated, and it does not have standing to sue on behalf of its guests. Moreover, the data breach was perpetrated by third parties against systems that belonged to the hotel, not to Millennium. St. Paul also argues that “making known” personal injury offense is meant to protect against intentional actions by the policyholder, not the policyholder’s negligence or the actions of third-party hackers. 

As the parties note in their briefs, several courts have considered whether the “making known” provision applies only when the policyholder intentionally publishes the information at issue. The current consensus favors this more limited reading of personal injury coverage asserted by St. Paul. See, e.g., Stonelight Title Inc. v. Cal. Insurance Guar. Ass’n, 58 Cal Rptr. 3d 74, 89 (Cal. Ct. App. 2007); Liggett Grp. Inc. v. Ace Prop. & Cas. Insurance Co., 798 A.2d 1024, 1032 (Del. 2002); Harrow Prods. Inc. v. Liberty Mut. Insurance Co., 64 F.3d 1015, 1025 (6th Cir. 1995); Cnty. Of Columbia v. Cont’l Insurance Co., 634 N.E.2d 946, 950 (N.Y. 1994). Policyholders who provide cyber security and IT services — and their corporate affiliates — will want to watch carefully where the district court comes down on this question as well. 

Finally, there is a question as to whether Millennium’s property damage coverage may apply to the loss of use of the compromised credit cards. Millennium makes a creative argument that the hotel is liable for the cost of replacing the physical cards themselves and that this constitutes property damage under the terms of the policy. St. Paul’s response, however, is that, to the extent anyone can assert a property damage claim stemming from the loss of the credit cards, it is the hotel’s guests and not the hotel itself.

Once made and released, the district court’s decision should offer policyholders additional guidance on the extent to which their traditional insurance policies, and specifically CGL policies, may protect them in the event of data breaches and the extent to which a policyholder’s corporate affiliates can look to their policies for protection. 

This article was first published in Law360.