[BreachExchange] Failure To Procure Cyber Insurance Could Haunt Your Company

[Destry Winant]

https://www.jdsupra.com/legalnews/failure-to-procure-cyber-insurance-30412/

A federal court in Florida recently adopted the now well-developed
consensus that data breach losses are not covered under standard
Commercial General Liability (CGL) policies. As the Department of
Homeland Security’s officially designated 15th annual Cybersecurity
Awareness Month comes to a close, the case stands as yet another stark
warning that companies of all sizes – any company that uses, collects,
stores or handles confidential personal information such as credit
card numbers, social security numbers, etc. – MUST address exposure to
hacking and other data breach events before they occur. One of the
pillars of preparedness for such events is ensuring the company is
appropriately insured, so companies should be in close communication
with their brokers about standalone cyber products. These products not
only respond when data breaches and other hacking events occur, but
they often also come with loss prevention services and the
underwriting process itself can reveal weaknesses in a company’s
cybersecurity regime.

While most companies now recognize the importance of cyber insurance,
data from as recently as 2017 indicates that the United States lags
behind Canada and Europe on the cyber-insurance uptake rate, with as
few as 50 percent of companies having purchased such coverage. It
should be clear by now that such coverage is critical.

ISO has promulgated form cyber coverages for several years, and at
least as far back as 2013 began recommending and standardizing
language to exclude data breaches and other cyber events from standard
CGL coverage, as it was never intended to cover these types of risks,
which are by now prevalent and well-known.

The policy at issue in St. Paul Fire & Marine Insurance Co. v. Rosen
Millennium, Inc., No. 6:17-cv-00540-CEM-GJK (M.D. Fla. Sept. 28, 2018)
was issued in early 2014, around the time when these changes to the
“modern” commercial insurance regime (i.e., right now, as the
cybersecurity landscape has evolved so quickly as to render 2014
ancient history) were nascent. The case shows yet again, however, that
standard CGL coverage was never intended to cover these types of risk.
In particular, the court held, as others have, that the personal
injury coverage in CGL policies is not triggered by third-party
liability for exposing the policyholder’s consumer data.

In Rosen, St. Paul Fire & Marine Insurance Company insured Rosen
Millennium, Inc. under two consecutive commercial general liability
policies that required St. Paul to defend Millennium against claims
for bodily injury, property damage, and personal injury. Millennium, a
wholly-owned subsidiary of Rosen Hotels & Resorts, Inc., provided data
security services for Rosen Hotels. In 2016, Rosen Hotels discovered
that it was the subject of a credit card breach that occurred when
malware was installed on its payment network. Rosen Hotels provided
notification of the data breach to the potentially affected customers.

Rosen Hotels then notified Millennium, contending that the data breach
was caused by Millennium’s negligence and inquired whether Millennium
had insurance coverage for the loss. Millennium in turn notified its
CGL carrier, St. Paul. St. Paul initially issued a reservation of
rights letter that stated that there was no coverage for the claim,
but invited Millennium to submit additional information. When
Millennium did not submit any additional information, St. Paul
initiated a declaratory judgment action against Millennium and Rosen
Hotels, seeking a declaration that it did not have a duty to defend
Millennium against the data breach claim by Rosen Hotels. Thereafter,
Rosen Hotels sent a demand letter to Millennium, alleging that it was
entitled to payment from Millennium as a result of the data breach.

At the outset, the court noted that it must analyze St. Paul’s duty to
defend in light of the demand letter because there was no underlying
litigation. According to the court, this demand letter included very
little detail and simply tracked the language of the personal injury
provisions in the CGL Policies. Because it did not mention property
damage or the costs incurred in providing notice of the data breach,
the court only addressed coverage under the personal injury
provisions.

The St. Paul CGL policies provided coverage for “personal injury”
resulting from Millennium’s “business activities.” “Personal injury”
was defined as an “injury, other than bodily injury or advertising
injury … caused by a personal injury offense.” “Personal injury
offense” included “[m]aking known to any person or organization
covered material that violates a person’s right to privacy.” The
parties agreed that the credit card information released was “covered
material” and that “making known” meant “publication,” even though
“making known” was not defined in the CGL policies.

The court found that the third-party breaches were not covered by the
CGL policies because the publication requirement was not met. In so
ruling, the court was persuaded by another recent decision by the same
court in Innovak Int’l, Inc. v. Hanover Ins. Co., No.
8:16-CV-2453-MSS-JSS, (M.D. Fla. Nov. 17, 2017). The Innovak court,
applying South Carolina law, ruled (as discussed here), that the
publication requirement was only satisfied where the insured, not a
third-party hacker, was the publisher of the covered material. Quoting
the Supreme Court of New York’s seminal decision in Zurich American
Insurance Company v. Sony Corporation of America, No. 651982/2011,
2014 WL 8382554 (N.Y. Sup. Ct. Feb. 21, 2014), the Innovakcourt stated
that “construing the policy to include the acts of third parties
‘would expand coverage beyond what the insurance carriers were …
knowingly entering into.’”

Thus, because Millennium itself did not publish the breached credit
card information, the court ruled that the personal injury coverage
was not triggered. The court further noted that any “personal injury”
would not have resulted from Millennium’s “business activities,” as
required by the CGL policies, but instead from the actions of third
parties. Lastly, the court distinguished several other data breach
cases finding a duty to defend because none of those cases involved
data breaches caused by third parties. Given that the court found no
coverage under the insuring agreement, it did not address any
exclusions in the policy, although it appears St. Paul may have had
arguments regarding the applicability of a cyber-related exclusion.

Given the time frame involved, it is not surprising that Millennium
had by then also purchased cyber-specific coverage. Indeed, St. Paul
relied on this fact, pointing out in its motion for summary judgment
that Millennium had cyber coverage through a Beazley Breach Response
policy issued to both Millennium and Rosen. Unfortunately for
Millennium, Beazley also denied coverage for the loss under the breach
response policy because the loss occurred prior to that policy’s
retroactive date, further highlighting the importance of obtaining a
policy that effectively covers the policyholder’s cyber risk.

While the policyholder has filed a notice of appeal, it is unlikely
the Eleventh Circuit will disturb the result. There is no indication
as to whether Millennium is also pursuing Beazley regarding its
denial, or may be seeking other avenues of recourse, such as action
against its broker. But the result is a clear warning to companies
that remain undecided about purchasing cyber coverage, regardless of
their size. Just as no company with a fleet of vehicles would ever
fail to consider purchasing commercial auto insurance, no company that
handles customer payment information (which is nearly every company)
should fail to consider purchasing data breach coverage.