November 29, 2018
Dovetailing with the discussion of the dangers of data breaches, a federal court in Florida recently ruled that data breach losses are not covered under standard Commercial General Liability (CGL) policies.
The court determined that because Millennium, the insured firm that suffered the data breach and sought coverage under its CGL policy, did not “make known” the information itself (the third-party actors to blame for the breach did), the “personal injury” coverage was not triggered. Additionally, the court ruled that any “personal injury” stemming from the data breach would not have resulted from Millennium’s business activities, but the actions of the third party that caused the breach in the first place.
As a final indignity, Millennium was also denied coverage under a cyber insurance policy it purchased after the breach, due to the loss taking place prior to the policy’s retroactive date. Moral of the story: have cyber insurance before losses happen.