On May 19, 2015, the Connecticut Supreme Court affirmed a lower court decision denying insurance coverage for costs incurred to mitigate against a data breach.1 The case is one of the first appellate decisions applying a standard industry form (ISO Form CG 00 01 04 13) typically found in commercial general liability (CGL) policies in the context of a data breach. The underlying facts illustrate that costs related to a "real world" data breach are not necessarily covered by insurance.
Recall Total Information Management, Inc. ("Recall") entered into an agreement with IBM to transport and store electronic data belonging to IBM. Recall hired a subcontractor to transport the data. During transport, computer tapes containing employment-related data for approximately 500,000 IBM employees were lost or stolen. The data included social security numbers, birthdates and contact information.
IBM took steps to mitigate harm from any dissemination of the data. It notified employees, established a call center to answer questions and provided credit monitoring to protect against identity theft. These mitigation efforts cost $6 million. Recall reimbursed IBM for the costs and then sought coverage under CGL policies issued by Federal Insurance and Scottsdale Insurance.
The relevant "Personal and Advertising Injury" coverage provision of the policies provided: "[W]e will pay damages that the insured becomes legally obligated to pay by reason of liability: imposed by law; or assumed in an insured contract; for advertising injury or personal injury to which this coverage applies." The policies defined "personal injury" as: "injury, other than bodily injury, property damage or advertising injury, caused by an offense of . . . electronic, oral, written or other publication of material that . . . violates a person's right to privacy."
Recall argued that the personnel data on the lost tapes was published to the persons who took the tapes, thereby subjecting Recall to liability. The court found, however, that mere loss of the tapes did not constitute publication of the data. Rather, publication required some evidence that the data was actually accessed or used for improper purposes. There was no evidence to suggest that the thief ever used the data or that IBM's employees ever suffered injury as a result of the lost data. Without such evidence, the court found no "publication" of personal data and therefore no "personal injury" under the policies. The court further found that IBM's obligation to notify affected employees under state statutory provisions did not constitute an invasion of privacy. According to the court, "[m]erely triggering a notification statute is not a substitute for a personal injury."
The court's decision begs this question: had the missing data been used improperly or posted in the public domain, would there be coverage under the relevant "Personal and Advertising Injury" coverage provision? The court does not answer this question but the answer is probably "yes." 2 Thus, Recall was fortunate that the data was never used to harm IBM's employees but unfortunate in that it sustained a $6 million loss for which there was no insurance coverage.
A final note: a series of data breach exclusionary endorsements were introduced into the market in May 2014. One such exclusion would exclude "personal and advertising injury" arising out of any access to or disclosure of any person's personal information.3 This endorsement precludes damages for mitigation costs like those at issue in this case.
1 Recall Total Information Management, Inc. v. Federal Ins. Co., -- A.3d --, 2015 WL 2371957 (Conn. 2015). The underlying appellate decision contains the substantive discussion of the facts and law. Recall Total Information Management, Inc. v. Federal Ins. Co., 83 A.3d 664 (Conn. App. 2014).
2 Indeed, at least one other court has upheld coverage for liability that the insured has resulting from third-party publication of private data. See Hartford Cas. Ins. Co. v. Corcino & Assocs., 2013 WL 5687527 (C.D. Cal. Oct. 7, 2013).
3 See ISO Form CG 21 08 05 14 (2013).