The National Association of Insurance Commissioners has warned that commercial insurance policies providing general liability coverage do not apply to many cyber risks.1 The Connecticut Supreme Court recently confirmed that point in one of the first state appellate court decisions construing the scope of coverage for data breaches under commercial general liability policies (CGL). Recall Total Info. Mgmt. v. Fed. Ins. Co., SC 19291 (to be Officially Released May 26, 2015). The state supreme court adopted and affirmed a ruling that Federal Insurance Company (Federal) and Scottsdale Insurance Company (Scottsdale) had no coverage obligations for losses arising from a significant data breach.
The facts underlying the Recall dispute are reminiscent of the often bizarre coincidences found in law school examinations. Recall was a contractor that IBM hired to transport data tapes. Recall engaged subcontractors to perform the actual work. One of the subcontractors obtained a $2 million CGL and a $5 million umbrella liability policy from Federal and Scottsdale, respectively, and had Recall named as an additional insured under these polices. Things went awry when a cart containing the data tapes fell out of the back of one of the subcontractor's vans. The data on the tapes included private information about some 500,000 past and present IBM employees, including social security numbers, birthdates, and contact information. An unknown person removed the tapes, and they were never recovered. IBM spent significant sums responding to the data loss and recouped those costs from Recall through a negotiated settlement. Federal and Scottsdale disclaimed coverage, refusing to participate in the settlement negotiations or to indemnify Recall for the loss. After settling with IBM, Recall sued its insurers, claiming they breached the insurance contracts and seeking reimbursement for its legal fees in negotiating with IBM and the amount of the settlement payment.
The trial court ruled in favor of the insurers, holding that they had no duty to defend or indemnify Recall from IBM's claims. Recall first appealed to the Connecticut Appellate Court, contending that coverage existed, because the data losses fell within the policies' definition of personal injury. The policies defined "personal injury" to include "injury, other than bodily injury, property damage or advertising injury, caused by an offense of . . . electronic, oral, written or other publication of material that . . . violates a person's right to privacy." Recall Total Info. Mgmt. v. Federal Ins. Co., 147 Conn. App. 450 (Conn. App. Ct. 2014). In construing the policy language, the appellate court declared that personal injury was "not the loss of the physical tapes themselves; rather it is whether the information in them has been published" that guided whether an injury occurred. Id. Although Recall argued that the data had been "published" to the person who removed the tapes, the Appellate Court refused to equate the loss of the data with publication, because the record "was entirely devoid of facts suggesting that the personal information actually was accessed . . . ." 147 Conn. App. at 462. In the absence of any evidence that the thief had actually accessed the personal data on the tapes, the Court found there was no publication and, thus, no personal injury. Id. at 462-63. Recall then sought and obtained further review through a petition for certification to the Connecticut Supreme Court.
The Connecticut Supreme Court fully adopted the opinion from the Connecticut Appellate Court. Significantly, the Connecticut Supreme Court opinion did not offer any additional reasoning of its own, instead stating "the Appellate Court's well-reasoned opinion fully addresses the certified issue, [and] it would serve no purpose for us to repeat the discussion contained therein. We therefore adopt the Appellate Court's opinion as the proper statement of the issue and the applicable law concerning the issue." The Connecticut Supreme Court's endorsement of the lower court rulings represents a significant - though limited - victory for insurers in defining coverage obligations for data breaches under CGL policies.
This ruling makes clear that, under Connecticut law, at a minimum evidence of actual publication of the stolen information must exist in order for an insured to obtain coverage for a data breach under a CGL or umbrella policy. Although the costs of responding to a data breach can be enormous, the loss of information alone is insufficient to trigger coverage under general liability policies.