No Coverage for Data Breach Under Personal Injury Provision in General Liability Policy

In Recall Total Information Management, Inc. v. Federal Ins. Co., 147 Conn. App. 450 (2014), Connecticut’s Appellate Court held there is no coverage for a data breach under a general liability policy’s “personal injury” coverage in the absence of evidence that the files were accessed by third parties.  

Recall, a records storage company, contracted to store tapes containing electronic personal information, including names and Social Security numbers, of 500,000 past and current IBM employees.  Recall subcontracted with a transport company to ship the tapes by truck, and was named as an additional insured on the transport company’s primary and umbrella general liability policies.  While the tapes were in transit, they fell off the transport company’s truck and were taken by an unknown person.  The tapes were never recovered.

IBM incurred over $6 million in mitigation costs as a result of the data breach, including notification to affected persons and providing credit monitoring services. IBM demanded Recall reimburse these costs.  Recall notified its insurers, but they denied coverage and declined to participate in settlement negotiations.  Recall settled with IBM and then obtained assignments from the transport company under its policies.  Recall sued the insurers, but the insurers prevailed on summary judgment.  In January, the Appellate Court upheld the judgment of the trial court.

The Appellate Court first rejected Recall’s contention a defense was owed because the court found no “suit” had been brought.  The Appellate Court next addressed the substantive coverage question.  The policies covered damages for “personal injury,” which was defined to include “injury caused by an offense of electronic, oral, written or other publication of material that violates a person’s right to privacy.”  Recall argued the personal information stored on the tapes had been “published” to the thief or other unknown persons, subjecting Recall to potential claims and liability for the costs of notifying the owners of the lost data and providing them with credit monitoring services.

The Appellate Court found, however, that Recall had failed to cite any evidence the electronically stored information was published and that speculation about a publication was insufficient.  Neither the complaint nor affidavits Recall submitted contained facts suggesting the data had been accessed, which the Appellate Court found was a prerequisite for the “publication” requirement.

The Appellate Court was also unconvinced by Recall’s argument the triggering of data breach notification statutes presupposes an invasion of privacy.  The Appellate Court explained the statutes in question do not address or provide compensation for identity theft; they simply require notice to the owner of the personal information involved in a data breach so that the victims may protect themselves from potential harm.  “Merely triggering a notification statute,” reasoned the court, “is not a substitute for a personal injury.”

Given the prevalence of data breach cases, these insurance issues will continue to be litigated.