We use cookies to give you the best online experience. By using our website you agree to our use of cookies in accordance with our cookie policy. Learn more here.Close Me
Rosen Millennium Inc. ("Millennium"), the cyber
security and IT support subsidiary of Rosen Hotels & Resorts,
Inc., has appealed to the Eleventh Circuit contending that a
Florida federal court ignored Florida insurance law when it ruled
that Travelers Insurance Company has no duty to defend it against a
multimillion dollar claim arising out of a cybersecurity
breach.
Millennium began receiving reports
in February 2016 advising of unauthorized use of hotel guests'
cards. The hotel hired a forensic investigator which revealed that
malware had been installed in the payment card system, where it
resided over the course of approximately 18 months. The malware
allowed the hackers to capture guests' credit card numbers,
enabling exposure of the sensitive information to unwanted
third-parties.
Millennium first notified its insurer of the breach in December
2016, and sought coverage for investigation costs, legal fees, and
fines imposed by credit card companies. Millennium's insurer,
St. Paul Fire & Marine Ins. Co. ("St. Paul"), denied
coverage, filed suit and sought a declaration that the policy does
not cover the hotel's losses.
The district court agreed with the insurer and awarded summary
judgment to St. Paul, finding that Millennium is not entitled to
coverage under its general liability insurance policies because the
offense of publishing confidential information to third parties was
done by the third-party hackers and not Millennium. The district
court relied on Innovak v. Hanover Insurance, Co.,
8:16-cv-02453,(M.D. Fla. 2016), a decision decided under South
Carolina law, and concluded that because the data breach was not
perpetrated by Millennium, but instead was committed by third
parties against systems that belonged to the hotel, the requisite
publication to third parties had not occurred.
Millennium now seeks to overturn the ruling. Millennium makes
two primary arguments. First, Millennium argues that the district
court improperly considered evidence beyond the allegations
asserted against the insured in rendering its coverage
determination. Second, Millennium argues that the general liability
policies' Personal Injury coverage provision contains no
requirement that Millennium be the party to publish or expose the
sensitive information and, thus, the district court's
conclusion is inconsistent with Florida law.
In fact, as Hunton Andrews Kurth LLP insurance practice head, Walter Andrews, explained in an
October 2018 article appearing in the Global Data Review (
see Oct. 9, 2018 Post discussing Walter's comments),
although it was undisputed that Florida law controlled
interpretation of Millennium's policies, the district court
based its decision on South Carolina law, which differs from
Florida law in many fundamental respects. "Florida state law
makes it very clear that coverage is meant to be construed in favor
of the policyholder where there is ambiguity," Andrews said.
"To me, it's clear that there were two reasonable
interpretations of the insurance policy here."
Whether the Eleventh Circuit will accept Millennium's
arguments remains to be seen. Until then, policyholders must
continue to be vigilant in their pursuit of clear and unambiguous
insurance for cyber breaches and other cyber events.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Reversing a Texas Court of Appeals decision that allowed Anadarko's Lloyd's of London excess insurers to escape coverage for more than $100 million ...
A federal court last month turned away an insurer's legal arguments seeking to avoid financial institution bond coverage for a bank's losses resulting from a borrower's use of forged documents