In the lawsuit Innovak Int’l, Inc. v. Hanover Ins. Co., the federal court for the middle district of Florida recently held that an underlying data breach class action lawsuit did not implicate “personal and advertising injury” coverage because the insured was not the entity accused of publishing the compromised personal information (PI).
The decision is relevant because not only did the court reject claims for cyber coverage under a CGL policy, but also because the decision is following a recent trend in litigation over Coverage B: namely, if the insured is not the one accused of publishing the information at issue, there is no “personal and advertising liability” coverage. In other words, Coverage B does not apply to third-party publications, even if the insured is the entity ultimately sued. E.g., Steadfast Ins. Co. v. Tomei, 2016 Pa. Super. Unpub. LEXIS 1864, at *17 (Pa. Super. Ct. May 24, 2016); Zurich Am. Ins. Co. v. Sony Corp., No. 651982/2011 (N.Y. Supr. Ct. Feb. 21, 2014).
The facts in Innovak are straightforward. Innovak was sued in a putative class action following a data breach that compromised the underlying plaintiffs’ personal information. According to the lawsuit, Innovak “designs, develops, and sells accounting and payroll computer software systems to schools, school districts, and to other entities across the United States.” Id. at *3. The lawsuit alleged that “Innovak’s software and database provides up-to-date W2 and paystub information to end users, which is accessible remotely via an internet portal,” and that Innovak suffered the data breach “when hackers appropriated the personal private information (‘PPI’) stored on its software, database, and/or its portals … from numerous individuals in several different states whose PPI was stored and made accessible through Innovak’s internet portal.” Id. at *3-4. The suit was filed because of “Innovak’s alleged failure to protect adequately the Underlying Claimants’ PPI and to timely disclose the data breach to end users.” Id. at *4.
Innovak sought a defense under the “personal and advertising injury” coverage in its CGL policy. The policy defined “personal and advertising injury” in part as “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.” Id. at *16. The carrier denied coverage and coverage litigation ensued.
The federal court, applying South Carolina law, held that the underlying lawsuit did not implicate Coverage B “personal and advertising injury” coverage because Innovak was not accused of publishing the PI in question. The court observed:
The Court notes that Innovak materially mischaracterizes the allegations of the Underlying Complaint. Nowhere in the Underlying Complaint do the Underlying Claimants contend that their PPI was “published,” whether by third party hackers or by Innovak. However, even if the Court views the alleged data breach as an alleged publication of the Underlying Claimants’ PPI, the Underlying Claimants do not allege that Innovak published their information.
Id. at *16. Citing the reasoning of the New York trial court in Zurich Am. Ins. Co. v. Sony Corp., the Florida court held that “the only plausible interpretation of Coverage B is that it requires the insured to be the publisher of the PPI.” Id. at *18. Allegations that the insured failed to protect PI adequately is not a publication, whether direct or indirect. Id.
What this case means. The insurance industry has attempted to shift coverage for liability for cyber risk from CGL policies to cybersecurity policies through promulgation of the Access Or Disclosure Of Confidential Or Personal Information And Data-related Liability Damages exclusion.
Thus, the real significance of this case is that it is yet another decision in which courts have limited Coverage B to claims in which the insured – and not a third party – has committed the publication. This limitation has a reach well beyond the scope of cybersecurity. It goes to an increasingly common theme in litigation where the insured is sued not for invading someone’s privacy, but for failing to prevent the invasion of privacy committed by a third party, whether by e-surveillance or vulnerabilities in the insured’s informational security, or from actions taken by rogue employees.