As more data breaches and information security events occur, the insurance industry will see more disputes over whether losses from these events are covered under commercial general liability (CGL) policies. In the latest round, the appellate court in Connecticut rejected the insureds’ attempts to seek coverage under a CGL policy for costs related to the response of a data breach of personal information.
In 2003, Recall Total Information Management, Inc. (Recall) agreed to transport and store computer tapes for IBM. Recall entered into a subcontract with Executive Logistics, Inc., (Ex Log) for transportation services. In 2007, a cart containing IBM’s computer tapes fell out of the back of an Ex Log van. Approximately 130 tapes, which included employment-related data, including Social Security numbers, birthdates, and contact information were taken from the roadside and never recovered. In order to provide legally required notice of the incident to the approximately 500,000 past and present IBM employees affected, IBM incurred more than $6 million in expenses for a call center and one year of credit monitoring. Recall sought indemnification from Ex Log after entering into a negotiated settlement with IBM. Ex Log (and Recall as an additional insured) sought coverage under a CGL policy issued by its carrier.
The court addressed the issue of whether the insurer had a duty to pay the notification costs under the “personal injury” section of the policy, in particular, coverage for injury caused by “publication of material that…violates a person’s right to privacy.” Plaintiffs alleged that the loss of the computer tapes was publication of the information to the thief.
The court found no evidence in the record suggesting the information in the stolen tapes was ever accessed. IBM’s notification letter to the affected employees stated: “we have no indication that the personal information on the missing tapes, which are not the type that can be read by a personal computer, has been accessed or used for any improper purpose.” Further, the court noted that none of the employees reported any financial (or other) losses as a result of the lost tapes. These facts provided additional support for the court to reason that the tapes were not accessed and therefore, there was no communication or disclosure of personal information.
Plaintiffs additionally argued that the data breach notification statutes that required IBM to notify the affected employees created “presumptive invasions of privacy.” Plaintiffs argued that an invasion of privacy triggers the notification statutes, and therefore, the provision of notice assumes a prior invasion of privacy. The court also rejected this argument, stating that the “notification statutes simply do not address or otherwise provide for compensation from identity theft or the increased risk thereof, [and] they merely require notification to an affected person so that he may protect himself from potential harm.” The court reasoned that triggering the notification statute does not equal personal injury under the policy because there is no presumption that an invasion of privacy existed based simply on the fact that personal information security has been compromised.
The Recall decision joins a growing list of cases addressing claims for insurance coverage arising from data breaches and information security events. Insurance practitioners should take heed, as this will continue to be an emerging area of insurance law for the foreseeable future.