One of the hottest points of contention between policyholders and insurers these days is whether coverage for a personal and advertising injury in commercial general liability (CGL) policies applies to cyberattacks and data breaches when it is unclear that information was accessed by hackers or further disseminated to the public or the “cyber black market.” In Recall Total Information Management Inc. v. Federal Ins. Co., the Connecticut Supreme Court, on May 18, 2015, affirmed the Connecticut Appellate Court’s decision that Federal Insurance Company and Scottsdale Insurance Company are not required to defend or indemnify the insureds for the loss of computer tapes that exposed personally identifiable information (PII) for some 500,000 current and former International Business Machines Corp. (IBM) employees.
Factual Background
The facts are straightforward yet distinguishable from the many cases in which a data breach occurs as a result of hacking or system penetration. In this instance, Recall Total had a contract with IBM requiring it to transport and store various electronic media and records. Recall Total subcontracted the transportation of IBM’s records and media to its co-plaintiff, Executive Logistics Inc. (Ex Log)—Recall Total and Ex Log are collectively known as the plaintiffs. The data breach in question occurred when, during transport, a cart containing IBM’s tapes fell from the back of Ex Log’s transport van. Before the cart could be retrieved, 130 tapes were removed from the roadside by an unknown person and have never been recovered.
The lost tapes contained the personal information of over 500,000 past and present IBM employees. Although the tapes were of a type that could not be read by personal computers or other devices accessible to average persons, IBM immediately took steps to mitigate the potential harm from the possible use or dissemination of the personal information on the tapes. IBM notified its employees of the incident, set up a call center to answer their questions about the lost data, and provided each person with one year of credit monitoring. The cost to IBM for these mitigation measures totaled more than $6 million.
IBM made a demand on Recall Total for all of the expenses it incurred addressing the data breach. Recall Total, as an additional named insured on Ex Log’s CGL policy, notified the insurers that issued the primary and umbrella policies to Ex Log of IBM’s demand, but those insurers denied coverage and refused to participate. After two years, Recall Total negotiated a settlement with IBM and agreed to pay IBM the full amount of its costs. Recall Total then demanded indemnification from Ex Log, and Ex Log and Recall Total both sought coverage under Ex Log’s CGL policy. When coverage was denied, the plaintiffs filed suit against the defendant insurers claiming, among other things, breach of the contract of insurance.
Ex Log’s policy provided coverage for personal injury from invasion of privacy. But in the absence of any allegation or evidence that the lost data on the tapes had actually been accessed, the trial court reasoned that there was no injury to a person. Rather, the trial court observed that, although IBM had incurred substantial expense in addressing the data loss, this could not satisfy the “personal injury” requirement because, as a corporation, IBM is not a person for purposes of invasion of privacy law. Thus, in the absence of proof that anyone whose personal information was lost had suffered identity theft or any other privacy violation in the four years since the loss of the data, the trial court granted the defendant insurers’ motion for summary judgment.
After the trial court ruled that no coverage existed for the data breach losses, the plaintiffs appealed, raising the argument that the claimed losses constituted personal injuries under the policies.
Appellate Court Decision
On appeal, the plaintiffs claimed error in the trial court’s conclusion that the loss of the tapes did not constitute a compensable personal injury under the CGL policy. They argued that, not only did the loss of data itself constitute personal injury, but because the loss of data triggered state law remedial privacy statutes, personal injury should be presumed.
The appellate court noted that the policy defined “personal injury” to include any injury “caused by an offense...or other publication of material that...violates a person’s right to privacy.” Thus the appellate court found that the dispositive issue was not whether the personal information had been lost but, rather, whether it had been published. The appellate court did not decide the question of whether publication within the meaning of the policy would require dissemination to a single person or the public at large. Instead, the court noted that there was nothing in the record to suggest that the information on the tapes had been accessed by anyone. It dismissed the plaintiffs’ contention that the lost personal information had been published to the unknown thief as mere speculation of publication. Accordingly, the appellate court agreed with the trial court that the plaintiffs’ claim was not covered under the policy’s personal injury provision.
Finally, the appellate court noted its disagreement with the plaintiffs’ contention that the triggering of certain state laws requiring notification of the data loss to affected persons amounted to the “presumptive invasion of privacy.” The court observed that these notification laws neither address nor provide any compensation to potential victims of identity theft. These statutes require notice only so that the affected persons can attempt to protect themselves. Therefore, the appellate court concluded that the triggering of notification statutes could not be a substitute for proof of an actual invasion of privacy.
Supreme Court Decision
The Connecticut Supreme Court said in its ruling that there was no purpose in repeating the discussion in the appellate division’s “well-reasoned” January 2014 ruling. The Supreme Court affirmed on the basis that there was no alleged publication. In doing so, it adopted in whole the appellate court’s decision, stating, “Because the appellate court’s well-reasoned opinion fully addresses the certified issue, it would serve no purpose for us to repeat the discussion contained therein. We therefore adopt the appellate court’s opinion as the proper statement of the issue and the applicable law concerning that issue.”
On the one hand, the holding in Recall Total is somewhat limited by its facts. Because there was no evidence that the information on the IBM tapes had been accessed, the court held that there was no publication, no matter the meaning of the term. In most data breach cases, however, there is evidence that someone accessed the stolen data, either by means of hacking or with the assistance of an inside company employee. Thus, for many cases, Recall Total may be distinguished on its facts. What was made crystal clear by the Connecticut Supreme Court, however, is that, if there is no evidence of access, or capability of access, to the information, there is no publication. This decision especially will be significant in the underlying factual context of lost or stolen laptops that contain encrypted corporate data and PII.