The Connecticut Appellate Court recently held that there is no coverage for an underlying data breach claim involving the theft of tapes containing electronically stored personal information under general liability “personal injury” coverage in the absence of evidence that the files were accessed by third parties. Recall Total Information Management, Inc. v. Federal Ins. Co., 147 Conn. App. 450 (2014).
The plaintiff, Recall, is in the business of records storage. Recall entered a contract to store tapes containing electronically stored personal information, including names and Social Security numbers, of 500,000 past and current employees of IBM. Recall entered into a subcontract with a transport company to ship the tapes by truck, and was named as an additional insured on the transport company’s primary and umbrella general liability policies. While the tapes were in transit, they fell off the transport company’s truck and were taken by an unknown person. The tapes were never recovered.
IBM incurred over $6 million in mitigation costs as a result of the data breach, including notification to affected persons and the provision of credit monitoring services, and issued a demand to Recall. Recall notified the insurers, but they denied coverage and declined to participate in settlement negotiations. Recall entered a settlement with IBM, then entered negotiations with the transport company, which assigned its rights under the policies to Recall. Recall then brought a coverage lawsuit against the insurers in Connecticut state court. The trial court granted the insurers’ motions for summary judgment, finding there was no duty to defend and no coverage for the data breach under the policies. On Recall’s appeal, the Appellate Court upheld the judgment of the trial court.
The Appellate Court first considered Recall’s argument that the insurers had a duty to defend, and by breaching it, they had waived their coverage defenses. The policies provided that the insurers had a duty to defend the insured against a “suit,” which was defined as “a civil proceeding in which damages, to which this insurance applies are sought … includ[ing] arbitration or other dispute resolution proceeding.” Recall argued that its settlement negotiations following IBM’s demand constituted a “suit” to which the insurers’ duty to defend applied. The Appellate Court, however, found Recall’s interpretation to be “unduly broad.” The Appellate Court explained that Recall’s interpretation of “suit” would obliterate the distinction between the terms “suit” and “claim” in other provisions of the policies and expressed concern that Recall’s interpretation would elevate every informal discussion to a covered “dispute resolution proceeding.” The Appellate Court also cited a decision of the Connecticut Supreme Court holding that a demand letter, in itself, is not a “suit,” because it has no immediate legal effect and cannot be considered legal action.
The Appellate Court next addressed Recall’s argument that the data breach was covered under the personal injury provision of the policies. The policies covered damages that the insured is legally liable to pay for “personal injury,” which was defined to include “injury caused by an offense of electronic, oral written or other publication of material that violates a person’s right to privacy.” Recall argued that the personal information stored on the tapes had been “published” to the thief or other unknown persons, subjecting Recall to potential claims and liability for the costs of notifying the owners of the lost data and providing them with credit monitoring services. The Appellate Court found, however, that Recall had failed to cite any evidence that the electronically stored information was published and that speculation there may have been a publication was not sufficient to implicate coverage. Neither the complaint nor affidavits submitted by Recall contained facts suggesting the data had been accessed, which the Appellate Court found was a prerequisite to implicating the “publication” requirement of the at-issue personal injury coverage.
The Appellate Court was also unconvinced by Recall’s argument that the triggering of data breach notification statutes presupposes an invasion of privacy. The Appellate Court explained that the statutes in question do not address, or provide compensation for, identity theft; they simply require notice to the owner of the personal information involved in a data breach so that the victims may protect themselves from potential harm. “Merely triggering a notification statute,” reasoned the court, “is not a substitute for a personal injury.”
To read the opinion, click here.