In January we wrote about Rosen Millennium Inc.’s (“Millennium”) appeal to the Eleventh Circuit, whereby Millennium took the position that a Florida federal court ignored well established Florida insurance law when it ruled that St. Paul Fire & Marine Insurance Co. had no duty to defend it against a multimillion dollar claim arising out of a 2016 cybersecurity breach.
Two insurance trade groups, the Complex Insurance Claims Litigation Association and the American Property Casualty Insurance Association, have since decided to join the party and have filed a brief of Amici Curiae in the Eleventh Circuit outlining their support of St. Paul Fire & Marine Insurance Co. The insurance trade groups urge the Eleventh Circuit to affirm the lower court’s decision that St. Paul Fire & Marine Insurance Co. has no duty to defend Millennium’s subsidiary against data breach allegations.
Specifically, the insurance trade groups ask the court to uphold findings that the “personal injury offense” provisions of Millennium’s CGL policies are limited to coverage for intentional acts taken by an insured as opposed to actions taken by third parties. In the underlying case, it is undisputed that the intentional act at issue, the release of private data, arose from the acts of third-party hackers even though the data was taken from the insured. Thus, the insurance trade groups are asking the Eleventh Circuit to affirm the lower court’s finding, which greatly limits the scope of coverage under the applicable CGL policies.
The insurance trade groups take the position that an insured’s failure to safeguard information, including the failure to prevent a third party breach of data systems for which it is responsible, cannot covered by the language of traditional CGL policies despite the broad language of the policies. The insurance trade groups go on to discuss specialty cyber polices that are available on the market in an effort to support its position that traditional CGL policies are not meant to cover claims like the one at issue, despite the fact that the policies are supposed to apply more broadly and do not state that they are restricted to non-cyber events.
The trade groups’ positions further evidence the importance for policyholders to analyze their insurance policies to fully understand the scope of coverage granted therein. As technology continues to evolve, policyholders will face additional risks that may not be adequately covered by traditional insurance policies or which may be contested by insurers under those policies. Given the spike of cyber liabilities claims in the recent years, it behooves any policyholder to reach out to experienced coverage counsel in order to ensure adequate coverage is provided under their insurance policies in order to avoid situations like the one faced by Millennium.