The Connecticut Supreme Court recently published its eagerly anticipated decision in Recall Total Info. Mgmt., Inc. v. Fed. Ins. Co. (Recall III), No. 19291, 2015 WL 2371957, at *1 (Conn. May 26, 2015), one of the first decisions of its kind addressing commercial general liability (CGL) coverage for certain types of cyber exposures. The case received attention for its interpretation of “publication” in the personal and advertising injury coverage of a standard CGL insurance policy. The court held the insurers were not required to defend or indemnify the insureds for damages stemming from the loss of computer tapes containing the personal information of approximately half a million IBM employees because even though there was evidence the computer tapes fell into the hands of an unknown third party, there was no publication.
The facts surrounding the Recall case are not what most envision in a groundbreaking cybersecurity case. When one hears of a data breach, the first thought is usually of covert computer hackers or sly social engineers obtaining encryption keys from unsuspecting employees. In this case, the data breach was decidedly more low-tech; it occurred when a cart containing old computer tapes fell out of the back of a transportation vendor’s van. An unknown individual retrieved 130 of these tapes, which contained the names, birth dates, addresses, and social security numbers of about 500,000 present and former IBM employees.