In Recall Total Information Mgmt., Inc. v. Federal Ins. Co., SC19201 (Conn. May 18, 2015), the Connecticut Supreme Court held that where there was no factual support that anyone ever actually accessed private information stored on lost data tapes, the policyholder’s assignee could not establish publication of such information and, therefore, also could not demonstrate “personal injury” necessary to trigger such coverage under a commercial general liability (CGL) and umbrella policy.  The court also found that settlement negotiations do not qualify as a “suit” to trigger an insurer’s duty to defend.

Facts

In Recall Total, Recall Total Information Management, Inc. (Recall) entered into a contract with International Business Machines (IBM) to transport and store data tapes that contained the social security numbers, birthdates and contact information of 500,000 past and present IBM employees.  Recall subcontracted with the policyholder to provide transportation of the tapes; during transport, a storage crate containing the private information fell out of the van.  IBM took immediate steps to protect against the dissemination of any of the employees’ private information, and incurred $6 million in expenses for the mitigation measures.  Recall settled IBM’s claims and sought indemnification from the policyholder, who in turn executed a promissory note and assigned its rights under the CGL and umbrella policies in favor of Recall.

Coverage

The CGL and umbrella policies contained nearly identical personal injury coverage provisions, which required “injury, other than bodily injury, property damage or advertising injury caused by an offense of  … electronic, oral or written publication of material that  …  violates a person’s right to privacy.”  (Emphasis supplied.)

Recall argued that because the data tapes were either lost or stolen, the private information on the tapes was necessarily published to unknown persons or the thief.  In rejecting that argument, the Connecticut Supreme Court affirmed the trial and intermediate appellate courts, and held that absent factual support that the private information was actually accessed, mere loss of the tapes was not sufficient to qualify as publication.  

The Connecticut high court also considered and rejected Recall’s argument that settlement negotiations with IBM triggered the insurer’s duty to defend, affirming the lower courts’ conclusions that such negotiations did not constitute a “suit” necessary to trigger the duty to defend.

Practice Pointer

Recall Total joins other recent cyber liability coverage decisions in which application of policy language to the relevant claim facts is determinative of the court’s ultimate conclusion.  As additional cyber coverage decisions are issued, Wilson Elser’s Data Privacy & Security team will continue to monitor whether this trend continues.