Massive data breaches, now commonplace, often prompt alarm. But the danger they represent—unauthorized use of confidential information—does not always follow straightforwardly. Nonetheless, a growing body of law requires companies affected by data breaches to take prophylactic measures. The cost and publicity of these measures can represent a significant loss, even if no identity theft ever occurs. When these indirect consequences of data breaches interact with the language of traditional insurance coverage provisions, problems can arise. In January 2014, in Recall Total Information Management v. Federal Ins. Co., the Connecticut Appellate Court rejected several novel arguments about injuries of this type that could have broadly redefined the nature of "personal injury."
Recall Total was responsible for storing and transporting data on various electronic media for IBM. In February 2007, approximately 130 electronic tapes containing confidential information of about 500,000 present and former IBM employees fell from the back of a van belonging to Recall Total’s subcontractor. The tapes were never recovered. IBM took immediate security precautions, such as notifying the affected employees and offering them identity theft protection. Recall Total later agreed to pay IBM more than $6 million to cover the costs of those mitigation measures. None of the individuals whose data was lost reported any injury as a result of the incident.
Recall Total was an additional insured under its subcontractor’s commercial general liability policy. The policy required the insurers to provide Recall Total with a defense against certain kinds of "suit," which was defined to include a "dispute resolution proceeding ... to which the insured … submit[s] with our consent." Recall Total argued that its nearly two years of negotiations, first with IBM and then its subcontractor, constituted either a "suit" or such a "proceeding." The Court rejected the argument, making clear that the duty to defend is not triggered by "every discussion, however informal." The Court added that, in any event, defendants did not consent to the negotiations.
Plaintiffs also argued that Recall Total’s payment to IBM was covered under the personal injury provision of the policy. "Personal injury" was defined to include "injury caused by an offense of … publication that … violates a person’s right to privacy." Plaintiffs contended that private data had been "published," in that it was communicated to the unknown person or persons who removed the tapes from the place at which they were lost. The Court noted, however, that there was no evidence that anyone actually accessed the information contained on the tapes: no instance of unauthorized use had been reported, and, further, the tapes could not be read by a personal computer.
Plaintiffs also argued that IBM’s notice to its affected employees had been mandated by certain state privacy statutes, and that the triggering of those statutory obligations therefore constituted "presumptive invasions of privacy." Plaintiffs argued, in other words, that the statute created a new type of "personal injury" that could be implied by law into the policies. The Court declined to do so, noting that the statutes "do not address … identity theft or the increased risk thereof … [but] merely require notification to an affected person so that he may protect himself from potential harm." The trial court’s award of summary judgment to the insurers was affirmed.