TAMPA, Fla. – The Hanover Insurance Company (“Hanover”) won its motion for summary judgment and does not have to defend Innovak International Inc. (“Innovak”) in a proposed class action claiming Innovak failed to prevent a 2016 data breach that compromised users’ personal information. United States District Judge for the Middle District of Florida, The Honorable Mary Scriven, ruled that coverage does not exist under the Commercial General Liability policy (“CGL”) because the breached data was not published by Innovak.
Innovak designs, develops and sells accounting and payroll computer software systems to schools, school systems and other state agencies in several states. In April 2016, Melissa Bohannan and other users of Innovak’s software filed a class action lawsuit against Innovak after the company acknowledged that personally identifiable information (“PII”) – including Social Security numbers, addresses, telephone numbers and dates of birth – had been hacked from employees at 15 school districts in Alabama and Mississippi. Ms. Bohannan claimed that Innovak has “known since at least 2014” that PII could be at risk of theft, yet Innovak failed to implement adequate measures to protect the information.
Innovak did not have cyber insurance at the time of the data breach and sought defense coverage from Hanover, its CGL carrier. Hanover refused and Innovak filed suit in Florida state court in July 2016. Hanover removed the case to federal court and Innovak argued that it was entitled to personal and advertising injury coverage because it “negligently prepared, designed and published software that allowed private personal information to be known by third parties,” which can be construed as an indirect act of publication.
The underlying suit, however, did not allege publication of the information, but that Innovak failed to implement sufficient data security measures. “This is not an allegation of indirect publication; it is not an allegation of publication at all,” wrote Judge Scriven. “Thus, the court declines to construe the underlying claimants’ claims as claims for indirect publication of their information by Innovak.”
“The Innovak case serves as a reminder that cyber losses are not typically covered under traditional insurance policies such as a CGL policy. It is important for companies to consider purchasing appropriate cyber liability insurance, especially if that company is in the business of storing PII or protected health information (“PHI”),” stated Phelps Dunbar Partner Pablo Gonzalez, who also co-spearheads the Firm’s Cybersecurity and Data Privacy Practice.
New Orleans partners Mark Dodart and Pablo Gonzalez were instrumental in the briefing for this case. Tampa partner Patricia A. McLean and associate Mallory Thomas are counsel of record for Hanover.
With offices positioned along the Gulf Coast from Houston to Tampa, Phelps Dunbar is a regional law firm of more than 260 attorneys uniquely equipped to serve clients in the major commercial centers of the burgeoning “Third Coast” of the United States. Locations in New Orleans and Baton Rouge, Louisiana; Jackson, Tupelo and Gulfport, Mississippi; Houston and Dallas/Fort Worth, Texas; Tampa, Florida; Mobile, Alabama; Raleigh, North Carolina; and London enable Phelps Dunbar to serve clients not only along the Third Coast, but also the South, nationwide and abroad.