The Connecticut Appellate Court recently affirmed a lower court ruling that insurance companies did not breach their duty to defend a document storage company following a data breach. The plaintiff document storage company was responsible for transporting and storing its client’s electronic media and contracted with a third party logistics company for transportation services. The contract with the logistics company required it to maintain several insurance policies and to name plaintiff as an additional insured. The insurance policy at issue covered “personal injury” and said the insured has “the right and duty to defend the insured against a suit.” “Personal injury” under the policy included injuries resulting from the “publication of material” that “violates a person's right to privacy.” A “suit” under the policy included civil proceedings, including “arbitration or other dispute resolution proceeding.” During transport, a cart containing data tapes fell out of the back of the van and some of the tapes, which contained the employment data of approximately 500,000 current and past employees of plaintiff’s client, including birth dates, Social Security numbers and contact information, were never recovered. Plaintiff’s client allegedly took more than $6 million in mitigation measures following the breach, to comply with New York's and Connecticut's data breach notification statutes, and plaintiff settled with its client for this amount, without clearing it with the insurance companies. Plaintiff filed suit when the insurance companies refused to cover its losses claiming that (1) settlement negotiations with its client constituted a "suit" such that by refusing to cover the settlement amount, the insurance companies breached their duty to defend; and (2) that loss of the tapes was a “personal injury” under the policies. The court disagreed, holding that “on the basis of a plain reading of the policy, we cannot concluded that the term ‘suit' or phrase ‘other dispute resolution proceeding' was meant to encompass the mere negotiations that took place in this case,” and in any case, the defendants did not consent to the negotiations, a requirement under the policy. Similarly, the court disagreed with the plaintiffs that the loss of the tapes was a “personal injury” under the policy, on that grounds that “merely triggering a notification statute is not a substitute for a personal injury.”
Tip: This case is a reminder that companies who are subject to a data breach should check their insurance policies for coverage details to determine prerequisites, if any, for such coverage.