On November 17, 2017, a U.S. district court in Florida narrowly construed personal and advertising injury coverage for data-breach claims under a commercial general liability policy. In Innovak International, Inc., v. The Hanover Insurance Company, the court held that The Hanover Insurance Company (the insurer) has no duty to defend Innovak International, Inc. (the insured), against a putative class action arising from a data breach that compromised users’ personal private information (“PPI”).
The court narrowly construed the policy’s definition of “personal and advertising injury” that included “[o]ral or written publication in any manner of material that violates a person’s right of privacy.” Despite the absence of a requirement that the insured publish that material, the court held that the policy only extended coverage to publication by the insured.
The court held that “[t]he act that violates the claimants’ right of privacy is the publication of their PPI, and the Underlying Claimants have not alleged that Innovak directly or indirectly committed that act.” The court rejected Innovak’s arguments that the phrase “in any manner” includes both “direct publication of PPI and negligent failure to prevent third parties from obtaining the PPI.” Following a New York state court decision (Zurich American Insurance v. Sony Corporation of America), the Florida court construed the phrase “in any manner” to refer to the medium rather that the sender of the information.
The court also rejected Innovak’s argument that the putative class action complaint alleged that Innovak indirectly published the PPI. The court held that the complaint clearly alleged that Innovak failed to protect the users’ PPI by failing to implement sufficient data security measures – which is not an allegation of publication at all. The court distinguished a California case, Hartford Casualty Insurance Co. v. Corcino & Associates, et al., because that complaint alleged that the insured posted private information on a public website, and the court did not address the same legal issues.
Finally, the court made short shrift of Innovak’s argument that Hanover waived its defense by omitting it from its denial letter, because the particular defense was included within the letter.
This case serves as a reminder that organizations should not assume that their commercial general liability policies will cover losses from data breaches – even if the organization purchases a data breach enhancement, as Innovak did. The policy’s Data Breach Form provided only data breach services and paid only data breach expenses and expressly excluded “fees, costs, settlements, judgments or liability of any kind” arising out of a data breach. The lack of coverage under the Data Breach Form left Innovak with only the personal and advertising injury coverage, which, in this instance, did not extend to the putative class action against Innovak.
As often mentioned on this blog, prudent insureds should purchase dedicated cyber insurance coverage if at all possible. Smaller organizations may rely on coverage enhancements to their existing insurance programs but should recognize the risk of this strategy. Under either a traditional or specialized cyber insurance program, all insureds should scrutinize policy language to understand the scope of coverage and –more importantly – the limitations of that coverage for data breach and other cyber-related exposures.