Credit Card Breach Results in No Coverage for ‘Personal Injury’

Customers’ credit cards used between September 2014 and February 2016 were compromised when a hotel chain found its system had been breached.
By: | December 2, 2018

Rosen Hotels & Resorts (RHR) runs a series of hotels under head company Rosen Millennium Inc. In 2016, RHR learned of a potential credit card breach at one hotel. Malware had been installed on the payment network, and customers’ cards used between September 2014 and February 2016 were compromised.

RHR sent Millennium an email regarding the data breach, asserting Millennium’s negligence as the cause. In December 2016, Millennium submitted a Notice of Claim to its carrier, St. Paul Fire and Marine Insurance Company, inquiring about coverage for the loss.

St. Paul had issued Millennium two consecutive commercial general liability policies during the time in which the data breach at RHR occurred. In these policies, St. Paul was required to defend Millennium against any claims of bodily injury or property damage. But St. Paul responded to Millennium’s notice that it had no duty to cover the claim.


Soon after, RHR issued a demand letter to Millennium, alleging it was entitled to payment for the breach. Though this was not a lawsuit, St. Paul treated the demand letter as such and alleged there was enough details within the Notice of Claim and the demand letter to create a case against St. Paul’s duty to defend Millennium. It sought summary judgment.

St. Paul asserted it had no duty to defend. It turned to policy language that said “personal injury” did not include data breach, because it was not a physical loss.

In their reasoning, the hotel chain said “the customers’ loss of the use of their credit cards, and the inevitable replacement of those cards, is covered as ‘property damage.’ ”

Because there was no underlying litigation, the court looked to language in the demand letter and the Notice of Claim. Within each, the court determined there was no explicit reference to property damage for the data breach from RHR or Millennium.

Scorecard: St. Paul Fire and Marine Insurance Company will not have to defend or pay for alleged ‘personal injury’ stemming out of a credit card data breach.

Takeaway: When crafting any notice for a claim or even a potential claim, choose the wording carefully in the event that the contents of that notice become part of the legal process. &

Autumn Heisler is the digital producer at Risk & Insurance®. She can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

Risk Matrix: Presented by Liberty Mutual Insurance

9 Ways Businesses Will Change as a Result of COVID-19

As more is understood about the aftereffects of COVID-19, here are some of the ways the pandemic has already started to change how organizations conduct business.
By: | August 3, 2020

The R&I Editorial Team can be reached at [email protected]