The federal district court agreed with the insurer that there was no coverage for the insured's causing a data breach. St. Paul Fire & Marine Ins. Co. v. Rosen Millennium, Inc., 2018 U.S. Dist. LEXIS 173072 (M. D. Fla. Sept. 28, 2018).
Millennium provided data security services for Rosen Hotels & Resorts, Inc. (RHR). In February 2016, RHR became aware of a potential credit card breach at on of their hotels. RHR hired a forensic investigator to determine whether a data breach occurred. The forensic investigator found malware installed on the payment network and determined that customers' cards may have been affected. RHR disclosed the data breach to potentially affected customers.
Millennium submitted a Notice of Claim to St. Paul after receiving an email from RHR indicating that RHR believed that the data breach was caused by Millennium's negligence and inquiring as to whether Millennium had insurance to cover such a loss. St. Paul issued a reservation of rights, indicating there was no coverage for the claim. Millennium then provided a letter from RHR in which RHR alleged it was entitled to payment from Millennium as a result of the data breach. RHR did never filed suit.
St. Paul filed suit for a declaratory judgment that it had no defense obligations and moved for summary judgment. RHR argued St. Paul was obligated to defend because: (1) the customers' loss of use of their credit cards, and the inevitable replacement of the cards, was covered as "property damage;" and (2) the costs incurred by RHR in complying with the notification statutes were covered under the policy.
The court noted there was no underlying complaint, so it looked at RHR's Notice of Claim and demand letter. The Notice of Claim had no substantive information other than the fact that a 'credit card systems breach occurred. Details in the demand letter were also sparse, but it specifically stated that Millennium "made private information known to third parties that violated a credit care holder's right of privacy." Therefore, the court addressed St. Paul's duty to defend under the personal injury provisions of the policy.
The policy defined "personal injury" as an "injury other than bodily injury or advertising injury, that's caused by a personal injury offense." A "personal injury offense" included "making known to any person or organization covered material that violates a person's right of privacy." The parties disputed whether the "making known" requirement was met. The parties agreed that "making known" was synonymous with "publication."
The court determined there was no publication. The CGL policy required covered personal injuries to result from the insured's business activities. RHR's alleged injuries did not result from Millennium's business activities but rather the actions of third parties. Therefore, RHR's personal injury claim was not covered under the policy and St. Paul had no duty to defend.
