On November 17, 2017, a federal district court in Florida granted summary judgment in favor of Hanover Insurance Company (the Insurer) relating to a data breach suffered by Innovak International Inc. (the Insured). Innovak International Inc. v. The Hanover Insurance Company, Case No: 8:16:cv-2453-MSS-JSS, U.S. Dist. Ct., Mid. Dist. FL (November 17, 2017).
The Insured, a small company with 3 employees, supplied software to school districts to run their financial systems, payroll and other functions.
The Insured was sued in April 2016 after acknowledging that it was the victim of a data breach, during which personal information, including W2 and paystub information of its software’s end-users, was stolen. A class action was subsequently filed against the Insured, in which the plaintiffs asserted claims of negligence, breach of implied contract, gross negligence, unjust enrichment, and fraudulent suppression. The plaintiffs alleged that the Insured failed to adequately protect their “personal private information (PPI)” and timely disclose the breach to the end-users, causing them “psychic injuries,” including “stress, nuisance, loss of sleep, worry, and annoyance.” The Insured sued the Insurer after it denied coverage for the claim under a Commercial General Liability policy.
The policy contains the following relevant provision:
We will pay those sums that the insured becomes legally obligated to pay as damages because of “personal and advertising injury” to which this insurance applies. We will have the right and duty to defend the insured against any “suit” seeking those damages. However, we will have no duty to defend the insured against any “suit” seeking damages for “personal and advertising injury” to which this insurance does not apply.
“Personal and advertising injury” were defined in part as “injury, including consequential ‘bodily injury’, arising out of one or more of the following offenses: . . . e. Oral or written publication, in any manner, of material that violates a person’s right of privacy.”
The Coverage Dispute
The Insured sought coverage under Coverage B, arguing that the Insurer had a duty to defend the underlying action because the plaintiffs “plainly and unequivocally allege that [the Insured] negligently prepared, designed and published software that allowed private personal information to be known by third parties.” The Insured claimed that Coverage B “provides coverage for claims alleging any publication of material that violates a person’s right to privacy, whether the publication is directly or indirectly committed by the insured.”
The Insurer moved for summary judgment on the ground that Coverage B was inapplicable because the plaintiffs alleged appropriation, and not publication, of their PPI by third parties. Even if the plaintiffs had alleged publication, the Insurer asserted that Coverage B would apply only to intentional acts by the insured, not to acts by third party hackers. The insurer also argued that if the plaintiffs’ claims were construed as alleging publication by the Insured, Coverage B still would not be triggered because it applies only to intentional acts of an insured, and the underlying claims alleged only that the Insured was negligent.
In granting the Insurer’s motion for summary judgment, the court found that “there is no coverage under Coverage B for the Underlying Action because the Underlying Complaint does not allege a publication by [the Insured].” Expressly concurring with the New York Supreme Court’s decision in Zurich American Insurance v. Sony Corp. of America, 2014 N.Y. Misc. LEXIS 5141 (N.Y.Sup. Ct. Feb. 21, 2014), the court found that “the only plausible interpretation of Coverage B is that it requires the insured to be the publisher of the PPI.” The court rejected the Insured’s argument that the phrase, oral or written publication “in any manner,” includes “both direct publication of PPI and negligent failure to prevent third parties from obtaining the PPI.” It ruled that “in any manner” referred to the manner of publication, and not to the party involved in the publication.
The costs associated with defending a data breach class action can be devastating to a small company like the Insured in this case. In light of the continuing prevalence of cyber threats, companies of all sizes would be well served by reviewing their insurance portfolio to ensure that have appropriate coverage for today’s cyber risks.