Rosen Millennium Inc. (“Millennium”), the cyber security and IT support subsidiary of Rosen Hotels & Resorts, Inc., has appealed to the Eleventh Circuit contending that a Florida federal court ignored Florida insurance law when it ruled that Travelers Insurance Company has no duty to defend it against a multimillion dollar claim arising out of a cybersecurity breach.
Millennium began receiving reports in February 2016 advising of unauthorized use of hotel guests’ cards. The hotel hired a forensic investigator which revealed that malware had been installed in the payment card system, where it resided over the course of approximately 18 months. The malware allowed the hackers to capture guests’ credit card numbers, enabling exposure of the sensitive information to unwanted third-parties.
Millennium first notified its insurer of the breach in December 2016, and sought coverage for investigation costs, legal fees, and fines imposed by credit card companies. Millennium’s insurer, St. Paul Fire & Marine Ins. Co. (“St. Paul”), denied coverage, filed suit and sought a declaration that the policy does not cover the hotel’s losses.
The district court agreed with the insurer and awarded summary judgment to St. Paul, finding that Millennium is not entitled to coverage under its general liability insurance policies because the offense of publishing confidential information to third parties was done by the third-party hackers and not Millennium. The district court relied on Innovak v. Hanover Insurance, Co., 8:16-cv-02453,(M.D. Fla. 2016), a decision decided under South Carolina law, and concluded that because the data breach was not perpetrated by Millennium, but instead was committed by third parties against systems that belonged to the hotel, the requisite publication to third parties had not occurred.
Millennium now seeks to overturn the ruling. Millennium makes two primary arguments. First, Millennium argues that the district court improperly considered evidence beyond the allegations asserted against the insured in rendering its coverage determination. Second, Millennium argues that the general liability policies’ Personal Injury coverage provision contains no requirement that Millennium be the party to publish or expose the sensitive information and, thus, the district court’s conclusion is inconsistent with Florida law.
In fact, as Hunton Andrews Kurth LLP insurance practice head, Walter Andrews, explained in an October 2018 article appearing in the Global Data Review (see Oct. 9, 2018 Post discussing Walter’s comments), although it was undisputed that Florida law controlled interpretation of Millennium’s policies, the district court based its decision on South Carolina law, which differs from Florida law in many fundamental respects. “Florida state law makes it very clear that coverage is meant to be construed in favor of the policyholder where there is ambiguity,” Andrews said. “To me, it’s clear that there were two reasonable interpretations of the insurance policy here.”
Whether the Eleventh Circuit will accept Millennium’s arguments remains to be seen. Until then, policyholders must continue to be vigilant in their pursuit of clear and unambiguous insurance for cyber breaches and other cyber events.