Login Register Subscribe
Current Issue

Travelers unit sues hotel group, says CGL policy doesn't cover cyber breach

Reprints

A Travelers Cos. Inc. unit is seeking a declaratory judgment that it is not liable under the commercial general liability policy it issued to a Florida hotel group to reimburse it for about $2.4 million in fines and other costs incurred in connection with a data breach.

Hartford, Connecticut-based St. Paul Fire & Marine Insurance Co. said it is not liable for the data breaches incurred by Orlando, Florida-based Millennium Technology Group because its affiliated hotel group’s data breach losses “do not result from bodily injury, property damage, personal injury, or advertising injury under the policy,” according to the lawsuit filed in U.S. District Court in Orlando on March 27 in St. Paul Fire & Marine Insurance Co. v. Rosen Millennium Inc. d/b/a Rosen Millennium Technology Group, which was widely publicized this week.

St. Paul’s CGL policy, which had effective dates of Feb. 24, 2014, to Feb. 25, 2015, had limits of $1 million per event, $1 million for advertising injury per person and $1 million for personal injury per person, all subject to a $2 million aggregate limit, according to the complaint.

Rosen began to receive reports indicating patterns of unauthorized charges to customer cards shortly after customers were guests at Rosen’s various hotels on or about Feb. 3, 2016, according to the lawsuit.

Shortly thereafter, Rosen allegedly retained forensic investigators at an approximately $150,000 cost to determine whether a breach had occurred and, if so, its source.

An investigation allegedly revealed malware had been installed on the hotel’s payment network and that cards used at the hotel chain for periods between September 2014 and February 2016 may have been affected. The data breach was disclosed to affected customers on March 4, 12016.

Rosen allegedly incurred an economic loss of about $2.4 million: After already incurring a total of $105,000 in fees to attorneys, to a crisis management firm and in notification costs, it was allegedly fined $1,005,140 by MasterCard; $128,830 by American Express and more than $1 million by Visa in connection with the breach, according to the lawsuit. 

The lawsuit says there is also the possibility of “latent” claims by data breach victims for which Rosen may request a defense.

St. Paul denied coverage in March, then filed suit seeking a judicial declaration Rosen’s losses are not covered by its CGL policy.

“St. Paul has neither a duty to defend Rosen with respect to the fines and penalties levied by Visa, MasterCard, and American Express, or any of the other costs incurred by Rosen, nor does it have a duty to indemnify Rosen for same,” says the lawsuit.

A Rosen spokesman could not immediately be reached for comment. 

“A lot of companies believe that their commercial liability insurance will protect them from a data breach and obviously, as this case proved out, that is oftentimes not correct,” said Melody B. Lynch, a shareholder with Lowndes, Drosdick, Doster, Kantor & Reed P.A. in Orlando.