The Connecticut Supreme Court heard oral arguments Monday April 27th on an appeal testing the scope of coverage afforded for a business’s data loss or theft events under its Commercial General Liability insurance’s “Personal Injury” coverages.   Based on the Justices’ comments and questions posed with regard to Recall Total Information Mgmt. v. Federal Ins. Co., Connecticut’s highest court appears unlikely to depart from the determinations previously reached by both the trial court and Appellate Court panel below, that no coverage was afforded under the “publication” and invasion of privacy clauses of the insured’s CGL policies as a matter of law.

Recall Total’s claim for coverage arose from its agreement to transport and store various electronic media belonging to IBM.  Recall Total’s subcontractor Ex Log was moving computer tapes by transport van during February 2007, when some of the tapes fell out of the back of the van.  Over 100 tapes were removed from the roadside by an unknown person and never recovered.  The tapes contained past and present IBM employees’ employment related data.  IBM gave notice and provided credit monitoring to potentially affected employees, then claimed and eventually obtained a settlement of over $6 Million from Recall Total.  When Ex Log’s CGL insurers denied coverage, Ex Log assigned its insurance rights to Recall Total.   The insurers prevailed in the trial court that there was no coverage under the CGL policy, then prevailed again in January 2014 on all appealed issues including whether the loss of tapes constituted a personal injury.

Justice Richard A. Robinson had pointed questions for Recall Total’s counsel on whether “publication” within the policies’ Personal Injury definition was even possible, based on the fact that the reel to reel data tapes were part of a “closed architecture system” that no thief or third party could access.  Chief Justice Chase T. Rogers had some choice inquiries as well, positing “you got what you paid for” if Recall Total purchased coverage for publication to a third party, and not a broader theft coverage.  She asked for Recall Total’s “fallback position” on whether there was enough ambiguity about whether there was a “suit” to avoid summary judgment in the insurers’ favor on their defense duties, signaling her diminished interest in Recall Total’s primary argument that the legal definition of “publication” might require nothing more than “to make public” the private data.

The Hartford-area attorneys representing the two insurers used their portion of the oral arguments, under reduced questioning from the panel, to point out that Recall Total had the burden to establish the scope of coverage under the CGL policies, and to reference several potentially applicable exclusions that need not be addressed because Recall Total had failed to satisfy its initial burden.  Scottsdale Insurance’s counsel further contended that this Court must conclude, as the appellate panel had before, no “presumptive” invasion of privacy existed merely because IBM’s data breach notification statutory obligations may have been triggered in Connecticut and in New York.  Neither the breach notification statutes, nor the public policy on which they are based, requires a presumption or finding of personal injury as defined in the CGL insurance policies.

The Appellate Court’s determination was reached approximately 3 months after its hearing in October 2013.  We will post a follow-up Blog report when the Connecticut Supreme Court issues an opinion in this matter.