Connecticut Supreme Court Denies Coverage For Data Breach Where There Was No Publication
The Connecticut Supreme Court held that the insurers had no coverage obligation for losses tied to a data breach because there was no publication of the material, as required under the policy provisions for coverage, where the policyholder could not show that anyone viewed the lost data.
Recall Total Information Management Inc. (“Recall”) contracted with International Business Machines (“IBM”) to transport and store computer tapes containing personal information of current and former IBM employees. Recall subcontracted with Executive Logistics Services, LLC (“ExLog”) to provide the transportation. During transport, the computer tapes fell from ExLog’s truck onto the road and were retrieved by an unknown individual. There was no evidence that anyone ever accessed the information on the tapes, but IBM spent a significant amount of money providing identity theft services to its employees. IBM sought reimbursement from Recall and ExLog. Federal Insurance Company (“Federal”) and Scottsdale Insurance Company (“Scottsdale”) issued, respectively, a commercial general liability policy and an umbrella policy to ExLog, naming Recall as an additional insured. Federal and Scottsdale were notified of settlement negotiations between IBM, Recall, and ExLog, but declined to participate and declined coverage.
Recall and ExLog filed a declaratory action alleging breach of the insurance contracts. They sought coverage on the basis that the loss of the tapes constituted a “personal injury” – defined in the policies as an “injury…caused by an offense of…electronic, oral, written or other publication of material that…violates a person’s right of privacy….” The trial court granted the insurers’ motions for summary judgment, finding that there was no duty to defend and the loss was not covered under the personal injury provision.
The Appellate Court affirmed the trial court’s judgment. The Appellate Court first found that the settlement negotiations between IBM, Recall, and ExLog did not constitute a “suit” as defined in the policies – “a civil proceeding in which damages, to which this insurance applies are sought…[and] includes arbitration or other dispute resolution proceeding…to which the insured must submit or does submit with our consent.” The court reasoned that a plain reading of the policy did not support the conclusion that “suit” was meant to encompass the informal negotiations in this case and such an interpretation would create internal consistencies within the policy, as it would merge the term “claim” with “suit.” As there was no “suit,” the insurers’ duty to defend was not triggered. The court next addressed the policies’ coverage under the personal injury provision. The insureds argued that publication to the thief occurred, thereby triggering coverage under the clause. However, the court rejected that argument, finding that the mere loss of information does not constitute publication and that the insureds failed to provide any evidence that the information was ever accessed or viewed by anyone. As such, the court concluded that the publication requirement of the personal injury clause was not met and there was no coverage. The Connecticut Supreme Court affirmed and adopted the Appellate Court’s opinion “as the proper statement of the issue and the applicable law….” Recall Total Info. Mgmt., Inc. v. Federal Ins. Co., SC 19291 (Conn. May 26, 2015).