The war to find data breach coverage under commercial general liability (CGL) policies continues to wage. In St. Paul Fire & Marine Insurance v. Rosen Millennium, Inc. et al., filed in March 2017 (M.D. Fla. 6:17-CV-00540), an insurer is seeking a declaration that neither the insured’s 2014-15 nor its 2015-16 CGL policy cover data breach costs and a couple million dollars worth of PCI fines.
In 2016, the insured, a hotel, discovered that its payment network had been compromised by malware between September 2014 and February 2016, resulting in the disclosure of customer credit card information. The hotel first tendered to Beazley, its cyber insurer, but Beazley denied coverage on the ground that the “occurrence” happened prior to the applicable retroactive date of the hotel’s 2015-16 policy. More on those notorious retro dates here.
The hotel turned to its CGL carrier, St. Paul, which denied coverage for a variety of reasons. Two are especially noteworthy. First, St. Paul argues that the ready and known availability of cyber insurance for data breach losses is itself an indication that CGL policies are not intended to cover those losses. Second, St. Paul points out that the insured actually purchased cyber insurance since 2015-16. Relying on cases holding that courts should construe insurance policies so as not to find duplicative coverage, St. Paul argues that the CGL policies must be interpreted so as not to provide coverage for data breach losses because the insured’s Beazley policy did provide that coverage.