A Florida court held that the insurer had no duty to defend a hotel operator’s information technology subsidiary against allegations that it was responsible for a hacking incident that exposed hotel customers’ credit card data because, under the general liability policy, there was no ‘making known to any person or organisation covered material that violates a person’s right of privacy’.
Whilst it was common cause that the data breach related to ‘covered material’, the court found that the data was not ‘made known’ which is synonymous with ‘published’. The policyholder itself did not publish customers’ sensitive information. The information was stolen by hackers who installed malware on the payment network. The only plausible interpretation of the policy was that it required the insurer to be the negligent publisher of the private information in order to get indemnified.
This case illustrates why general liability policies should not be relied on to cover cyberattacks and cyber insurance should be taken out.
The case is St. Paul Fire & Marine Insurance Company v Rosen Millennium, Inc.