The "C" in CGL is not for Cyber
Within the last year, two Federal judges in the Middle District of Florida decided that commercial general liability (CGL) insurance policies are not designed to cover the unauthorized publication of private information in cyber data breaches.
Innovak International, Inc. is a technology company that designs, develops, and sells accounting and payroll computer software systems to schools, school districts, and to other entities across the United States. Innovak's software and database provides up-to-date W2 and paystub information to end users, which is accessible remotely via an Internet portal.
In 2016, Innovak admitted that it was the victim of a cyber data breach that disclosed the personal information for hundreds of individuals. Shortly after, the affected individuals sued Innovak. In turn, Innovak notified Hanover Insurance Company about the incident and demanded that the insurer pay for the defense of the class action.
Hanover issued a CGL insurance policy to Innovak that covered claims for personal and advertising injury, which was defined as injury arising out of “[o]ral or written publication, in any manner, of material that violates a person's right of privacy.”
Hanover denied coverage, in part, because “third party hackers, not [Innovak] caused the data breach.”
Innovak then brought an action against Hanover asking the Court to decide that Hanover was contractually obligated to defend Innovak in the class action lawsuit.
The Court, applying South Carolina law, held that the only plausible interpretation of the insurance policy is that it requires Innovak to be the publisher of the private information. The Judge noted that “construing the policy to include the acts of third parties would be expanding coverage beyond what the insurance carriers were ... knowingly entering into.”
Earlier this year, another Court (St. Paul Fire & Marine Insurance Company v. Rosen Millennium, Inc., 2018 WL 4732718 (M.D.Fla., 2018)) agreed with the decision in Innovak.
Millennium provided data security services for Rosen Hotels & Resorts, Inc. (RHR). In February 2016, RHR became aware of a potential credit card breach at one of their hotels. Soon after, RHR hired a forensic investigator to determine whether a data breach occurred and, if so, to discover its source. The forensic investigator found malware installed on the payment network and determined that customers' cards used between September 2014 and February 2016 may have been affected. On March 4, 2016, RHR disclosed the data breach to potentially affected customers.
RHR sent an email to Millennium indicating that RHR believed the data breach was caused by Millennium's negligence and inquiring as to whether Millennium had insurance to cover such a loss. Millennium then submitted a Notice of Claim to its insurer, St. Paul Fire & Marine Insurance Company.
St. Paul issued CGL insurance policies to Millennium that provided coverage for offenses that included, inter alia, “[m]aking known to any person or organization covered material that violates a person's right of privacy.”
The parties did not dispute that credit card information was "covered material." Instead, the parties disputed whether the “making known” requirement had been met.
While the term “making known” is not defined in the policies, the parties agreed that the term is synonymous with “publication.”
Relying on the decision in Innovak, the Millenium Court decided that RHR's alleged injuries did not result from Millennium's business activities but rather the actions of third parties. Meaning, Millennium did not disclose the private information, hackers did; therefore, St. Paul did not have to provide coverage.
The case is cited as St. Paul Fire & Marine Insurance Company v. Rosen Millennium, Inc., 2018 WL 4732718 (M.D.Fla., 2018), and has been appealed.
Yes folks . . . the "C" in CGL is not for Cyber.
The message from Innovak and Millennium is clear - CGL policies were not designed to cover cyber events where hackers gain unauthorized access to private information.
These two decisions have angered policy holders and consumer advocates because they see it as a very narrow interpretation of the "publication" language. A simplified version of the argument is "it doesn't matter who published the private information."
Really though, this is not a surprise. For a number of years, insurance carriers and brokers have been saying that companies now need to obtain separate cyber insurance coverage in addition to the standard CGL policies (even if the CGL has an enhanced cyber provision).
Truth be told, having a cyber policy is a better alternative than paying out-of-pocket for a cyber breach. See my blog post on the Expense of a Cyber Breach.
Cyber insurance is just a new cost of doing business in the cyber age.
Florida Cyber Lawyer - Robert Stines, Esq., CIPP.