A recent court decision issued by the Connecticut Appellate Court, coupled with the extensive publicity arising from the recent data breach at retail giant Target, should serve as a reminder: businesses that collect and store confidential personal information need to understand whether their insurance program adequately protects them in the event of a loss of data through a data breach or other means, and whether they should consider purchasing cyber liability or data breach insurance.
In Recall Total Information Management, Inc. v. Federal Insurance Company, 147 Conn. App. 450 (Jan. 14, 2014), the Connecticut Appellate Court ruled that Recall could not recover from its insurance company the more than $6 million that Recall paid its client as compensation for the mitigation losses that the client incurred following the loss of storage tapes containing confidential personal data of approximately 500,000 individuals, because the loss of the tapes was not a covered loss under Recall’s commercial general liability insurance policy, which was a typical liability insurance policy that many businesses purchase.
The Recall case did not arise from thieves breaking into a computer network and stealing confidential personal information. Rather, it arose from a contract that Recall executed with IBM, pursuant to which Recall agreed to transport and store electronic media belonging to IBM. While some electronic media were transported by truck, a cart containing tapes of confidential employment-related data concerning nearly 500,000 past and present employees of IBM fell out of the back of the truck. It is unclear when the loss of the tapes was discovered, but many of the tapes were removed from the roadside by an unknown person at some point and the tapes were never recovered. Once the tapes were lost, IBM was forced to spend more than $6 million to limit any harm arising from the dissemination of the employees’ personal information, including providing credit monitoring services to protect against identity theft. IBM sought recovery of its mitigation expenses from Recall. IBM and Recall entered into a settlement agreement, pursuant to which Recall paid IBM’s losses. Recall then sought to recover the losses it paid IBM, under its insurance policy that provided insurance coverage for “property damage” and “personal injury,” which included injury caused by the publication of material that violates a person’s right to privacy.
The trial court concluded that Recall’s losses were not covered under the property damage coverage of the insurance policy because the policy specifically excluded coverage for data loss, since it was intangible property, a ruling that Recall did not challenge on appeal. Recall did appeal the trial court’s decision that the losses it sustained were not covered under the personal injury coverage portion of the insurance policy.
The commercial general liability policy at issue in Recall, like most commercial liability policies, provided insurance coverage for those amounts that Recall became legally obligated to pay because of “personal injury.” The policy contained a standard definition of the term “personal injury” found in many business liability policies, which included injury, other than bodily injury, property damage, or advertising injury, caused by an offense of electronic, oral, written, or other publication of material that violates a person’s right to privacy. Recall claimed that its loss fell within the definition of personal injury because employees’ personal information, including social security numbers, birthdates, and contact information, was published to the thief who took the tapes or to other persons who came into possession of the tapes. The Connecticut Appellate Court rejected the argument and ruled that absent proof that the information contained on the tapes was published to a third party, the loss of the tapes themselves did not constitute publication of private material and, therefore, did not fall within the definition of “personal injury” for which coverage was to be provided. As a result, Recall could not recover the $6 million it paid IBM under its commercial insurance policy.
The Recall case and media attention surrounding data breaches should serve as a reminder to businesses of the importance of ensuring that they understand the coverage available under the insurance policies they purchase, and whether the risks of data loss or any other particular risk that a business may reasonably face is covered under their insurance policies. Businesses that face the risk of a data breach or other loss of confidential information may wish to consider the need for cyber liability or data breach insurance if their current business insurance policy does not provide such coverage. Data breach insurance will likely protect a business from the significant mitigation expenses that arise when confidential information has been lost or stolen, as well as litigation expenses associated with defending lawsuits arising from loss of confidential data. Whether a particular loss is covered under a policy, however, depends on a review of the terms and conditions of the entire policy and an analysis of the facts and circumstances surrounding a particular loss.