The war to find data breach coverage under commercial general liability (CGL) policies continues to wage. In St. Paul Fire & Marine Insurance v. Rosen Millennium, Inc. et al., filed in March 2017 (M.D. Fla. 6:17-CV-00540), an insurer is seeking a declaration that neither the insured’s 2014-15 nor its 2015-16 CGL policy cover data breach costs and a couple million dollars worth of PCI fines.
In 2016, the insured, a hotel, discovered that its payment network had been compromised by malware between September 2014 and February 2016, resulting in the disclosure of customer credit card information. The hotel first tendered to Beazley, its cyber insurer, but Beazley denied coverage on the ground that the “occurrence” happened prior to the applicable retroactive date of the hotel’s 2015-16 policy. More on those notorious retro dates here.
The hotel turned to its CGL carrier, St. Paul, which denied coverage for a variety of reasons. Two are especially noteworthy. First, St. Paul argues that the ready and known availability of cyber insurance for data breach losses is itself an indication that CGL policies are not intended to cover those losses. Second, St. Paul points out that the insured actually purchased cyber insurance since 2015-16. Relying on cases holding that courts should construe insurance policies so as not to find duplicative coverage, St. Paul argues that the CGL policies must be interpreted so as not to provide coverage for data breach losses because the insured’s Beazley policy did provide that coverage.
I’d argue that there’s no duplicative coverage here. For coverage to be “duplicative,” you have to actually have it in at least one other policy. Here, the hotel apparently doesn’t. That’s why it tendered to St. Paul.
But the more important point is that these relatively new arguments are evidence that it is becoming increasingly difficult to argue for data breach coverage in a CGL policy. From the early 2000’s through the Sony litigation in 2015, insureds have sought, and in more than a few cases, found coverage in CGL policies for data breach losses. But as policy language tightens, as ISO and bespoke data breach exclusions are systematically incorporated into non-cyber policies and as the cyber market continues to grow, the CGL coverage argument becomes a far more difficult needle to thread.
Reminder: I don’t sell insurance.
Reminder Two: If you have data breach exposure, you probably should buy cyber insurance.