On January 14, 2014, the Connecticut Appellate Court issued a decision in Recall Total Information Management, Inc., et al. v Federal Insurance Company, et al., __ Conn. App. ___, 2014 WL 43529 (Conn. App. Ct. Jan 14, 2014), a matter involving a peculiar type of data breach and plaintiffs’ claim that it was covered under the personal injury clause in a commercial general liability policy. (A copy of the opinion of the Appellate Court is available through this link: http://www.jud.ct.gov/external/supapp/Cases/AROap/AP147/147AP108.pdf )
The facts are straightforward, yet distinguishable from the many cases in which the data breach occurs as a result of hacking or system penetration. In this instance, plaintiff Recall Total had a contract with International Business Machines, which required Recall Total to transport and store various electronic media and records of IBM. Recall Total subcontracted the transportation of IBM’s records and media to its co-plaintiff Executive Logistics, Inc. (“Ex Log”). The data breach in question occurred when, during transport, a cart containing IBM’s tapes fell from the back of Ex Log’s transport van. Before the cart could be retrieved, 130 of these tapes were removed from the cart by an unknown person and have never been recovered.
The lost tapes contained personal identifying information for over 500,000 past & present IBM employees. Although the tapes were of a type that could not be read by personal computers or other devices accessible to average persons, IBM immediately took steps to mitigate the potential harm from the possible use or dissemination of the personal information on the tapes. IBM notified its employees of the incident, set up a call center to answer their questions about the lost data and provided each of them with one year of credit monitoring. The cost to IBM: More than $6 million.
IBM made a demand on Recall Total for all of the costs it had incurred addressing the data breach. Recall Total, as an additional named insured on Ex Log’s commercial general liability policy, notified the insurers who had issued the primary and umbrella policies to Ex Log of IBM’s demand, but those insurers denied coverage and refused to participate. After two years, Recall Total negotiated a settlement with IBM and agreed to pay IBM the full amount of its costs. Recall Total then demanded indemnification from Ex Log, and Ex Log and Recall Total both sought coverage under Ex Log’s commercial general liability policy. When coverage was denied, plaintiffs filed suit against the defendant insurers claiming, among other things, breach of the contract of insurance.
Ex Log’s policy provided coverage for personal injury from invasion of privacy. But in the absence of any allegation or evidence that any of the lost data on the tapes had actually been accessed, the trial court reasoned that there was no injury to a person. Rather, the trial court observed that although IBM had incurred substantial expense addressing the data loss, this could not satisfy the “personal injury” requirement because, as a corporation, IBM is not a person for purposes of invasion of privacy law. Thus, in the absence of any proof that anyone whose personal information was lost had suffered identity theft or any other privacy violation in the four years since the loss of the data, the trial court granted the defendant insurers’ motion for summary judgment.
On appeal, plaintiffs claimed error in the trial court’s conclusion that the loss of the tapes did not constitute a compensable personal injury under the commercial general liability policy. Plaintiffs’ argued that not only did the loss of data itself constitute personal injury, but they also argued that because the loss of data triggered state law remedial privacy statutes, personal injury should be presumed.
The Appellate Court noted that the policy defined “personal injury” to include any injury “caused by an offense … or other publication of material that … violates a person’s right to privacy.” Thus the Appellate Court found that the dispositive issue was not whether the personal information had been lost, but rather whether it had been published. The Appellate Court did not decide the question whether “publication” within the meaning of the policy would require dissemination to a single person or the public at large. Instead, the Appellate Court noted that there was nothing in the record to suggest that the information on the tapes had been accessed by anyone. The Appellate Court dismissed Plaintiffs’ contention that the personal information lost had been published to the unknown thief as mere speculation of publication. Accordingly, the Appellate Court agreed with the trial court that plaintiffs’ claim was not covered under the policy’s personal injury provision.
Finally, the Appellate Court noted its disagreement with plaintiffs’ contention that the triggering of certain state laws requiring notification of the data loss to affected persons amounted to the “presumptive invasion of privacy.” The Appellate Court observed that these notification laws neither address nor provide any compensation to potential victims of identity theft. These statutes only require notice so that the affected persons can attempt to protect themselves. Therefore, the Appellate Court concluded that the triggering of notification statutes could not be a substitute for proof of an actual invasion of privacy.
It is difficult to foresee whether the decision in Recall Total will have far reaching impact. Not many cases construing the applicability of personal injury language of commercial general liability policies to injury from data loss incidents have been published. Insurance coverage for data breach is, however, now more commonly available. Therefore, it would be logical to expect fewer cases seeking to extend coverage under personal injury language in commercial general liability policies to injury from data loss. Moreover, in a typical data breach situation, where there has been purposeful and direct access to the data by an identified penetrator, many of Recall Total‘s points will not be at issue. Whether access to the data by a single hacker would constitute “publication” within the meaning of such policy language, however, remains an open question. This issue was addressed, but not fully determined, in the Recall Total opinion because there had been no showing that the data on the tapes had been accessed by a single person- not even the thief. Therefore, it remains to be seen whether another court will hold that “publication” occurs when a single person accesses the personal information, or whether a more public dissemination of the data is required to constitute an invasion of privacy compensable under such policy language.
 At trial and on appeal, plaintiffs also contended that defendants’ failure to represent Recall Total or participate in the negotiations with IBM constituted a breach of the defendants’ duty to defend their insured and a waiver of the insurers’ ability to contest coverage. That claim is beyond the scope of this topic. Suffice it to say that based on the plain language of the policy that limited the duty of the defendants to defend the insured in a “suit” or “other dispute resolution proceeding,” neither court agreed with plaintiffs’ reasoning or found any obligation to defend the insured in connection with claims, negotiations or discussions.