[BreachExchange] Florida Court Finds No Coverage For Data Breach Incident Under Personal And Advertising Injury Coverage

Destry Winant destry at riskbasedsecurity.com
Wed Oct 10 18:58:08 EDT 2018


As many readers of this blog already know, our insurance coverage
practice monitors courts around the nation for court decisions that
might interest our readers. Decisions involving insurance coverage for
data breach incidents continue to be of interest, especially where
policyholders seek coverage under the “personal and advertising
injury” provisions in standard commercial general liability insurance

Late last week, the U.S. District Court for the Middle District of
Florida issued another opinion consistent with the nationwide trend
that such policies do not provide coverage for insureds who are the
victims of, or allegedly cause, data breaches, absent evidence that
the insured itself published the sensitive data.

In St. Paul Fire & Marine Ins. Co. v. Rosen Millennium, Inc., Middle
District of Florida Case No. 17-CV-540 (J. Mendoza) (Sept. 28, 2018),
St. Paul sought a court declaration that its personal and advertising
injury coverage form did not provide coverage, defense or indemnity,
for a data breach incident allegedly caused by Rosen Millennium, a
data security provider. The breach incident caused the credit card
information of Rosen Millennium’s customer to be exposed by hackers.

St. Paul’s coverage form provides coverage for various specified
offenses, including “making known to any person or organization
covered material that violates a person’s right of privacy.” Rosen
Millennium argued that it had received a demand letter alleging that
it was negligent, resulting in the exposure of cardholder’s personal
information, violating their right of privacy, and seeking damages.
These allegations, it argued, qualified for coverage.

The court took care to review existing precedent and found no
potential coverage. While no prior decision used the “making known”
language found in St. Paul’s policy, the court found that that phrase
was synonymous with the term “publication.” Because there was no
evidence that Rosen Millennium itself published the sensitive
information, there was no potential coverage.

There were a few other interesting aspects of the court’s decision.
First, the policy language requires publication of “covered material”
before coverage applies, but does not more specifically describe what
type of material might be “covered.” This was not an issue addressed
in any length in the court’s opinion, however, because the parties
conceded that the credit card information qualified.

In addition, Rosen Millennium argued that coverage was provided
because the customers’ loss of the use of their credit cards
constituted covered property damage. The court found this issue was
not included in the demand letter received by Rosen Millennium and
that the issue was not ripe for resolution.

You may find a copy of Judge Mendoza’s order here:

More information about the BreachExchange mailing list