St. Paul Fire & Marine, a subsidiary of Travelers, recently obtained a declaratory judgment in its favor in connection with a data breach that compromised the credit cards of numerous guests of Rosen Hotels & Resorts. Rosen Millennium, Inc., the IT subsidiary of Rosen Hotels & Resorts responsible for the hotel chain’s data security, tendered a claim under two St. Paul commercial general liability policies after a forensic investigation of the data breach revealed the existence of malware on Rosen Hotels’ payment network. St. Paul issued a reservation of rights, contending there was no coverage for the claim, and commenced a declaratory judgment action on the issue of whether St. Paul had a duty to defend any claim brought against Rosen Millennium.
The U.S. District Court for the Middle District of Florida agreed with St. Paul and ruled the insurer had no duty to defend. Although the CGL policies covered “personal injury,” which was defined to include “making known to any person or organization covered material that violates a person’s right of privacy,” the Court held the claim was not covered because the policies required covered personal injuries to result from the insured’s business activities, whereas the hotel guests’ credit card information had been compromised by third-party hackers. Specifically, the Court found the “alleged injuries did not result from [Rosen] Millennium’s business activities but rather the actions of third parties.”
The decision in St. Paul Fire & Marine Insurance Co. v. Rosen Millennium, Inc., et al, No. 6:17-cv-540-Orl-41GJK, underscores both the importance of having a stand-alone cyber liability policy and the uncertainty of obtaining any coverage for a data breach under a CGL or other non-cyber policy. In addition, insureds should be aware of the distinction between CGL policies providing (1) coverage for personal injury/personal and advertising injury that must result from the insured’s business activities and (2) coverage for all damages because of personal and advertising injury, which loss need not result from the insured’s conduct. The latter coverage would likely capture damages arising out of Rosen Hotels’ credit card data breach, which was caused by third-party hackers and not the insured, whereas the former did not in this case.