In response, “IBM immediately took steps to prevent the dissemination of the information. On March 30, 2007 and on April 23, 2007, IBM wrote to Recall claiming a total of $6,192,468.30 in expenses—$2,467,245.10 for notifying current and/or former employees, $595,122.00 for maintaining call centers and $3,130,101.20 for credit monitoring services—as a result of the loss of the tapes. Recall entered into a settlement agreement with IBM for the full amount of the loss.” Recall III at *1.
Recall reimbursed IBM and pursued its transportation vendor, Executive Logistics Inc. The two resolved their dispute and pursued Executive’s CGL insurers, which denied the claim, arguing that the “publication of material, in any manner, that violates a person’s right of privacy” coverage under a CGL policy requires a showing of “access,” and because there was no evidence anyone accessed the information on the tapes, there was no “publication.”
Recall sought coverage under the section of its CGL policy that covered “a ‘personal injury,’ which was defined by the policies in relevant part as an ‘injury ... caused by an offense of ... electronic, oral, written or other publication of material that ... violates a person's right of privacy....’” Recall III, at *1.
The insurers denied any duty to defend or indemnify and declined to participate in settlement negotiations for several reasons, most notably that “the claims arise from the preventative measures taken by IBM because of the theft, or loss of use, of the data on the tapes—not the tapes themselves.” Recall Total Info. Mgmt., Inc. v. Fed. Ins. Co. (Recall I), No. X07CV095031734S, 2012 WL 469988, at *5 (Conn. Super. Ct. Jan. 17, 2012). The most important issue to arise out of the case was whether the data being in the hands of a thief was publication or whether the information needed to be disseminated further. The court inRecall I, held that because there was no evidence that the information was accessed, there was no injury to persons and no one’s right to privacy was violated. Id. at *6.
In Recall II, the Connecticut Appellate Court agreed with the insurers, concluding that access is a prerequisite to publication because one must have access to information in order to publish it. The court also reasoned that the facts of Recall did not demonstrate the requisite level of access to the information (as opposed to accessing the information by taking the tapes) and thus there was no publication. The Connecticut Supreme Court went on to adopt the appellate court’s decision.
While this decision limits policyholder access to CGL insurance in Connecticut in similar scenarios (i.e., where the evidence of access to information is lacking), it leaves open the argument that more traditional data breaches, such as those with Target, Home Depot, Anthem, and Sony (another CGL publication dispute that recently settled while arguments were pending before a New York appellate court) would still qualify. These issues will continue to be closely watched as other jurisdictions weigh in. See, e.g.,Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC., No. 1:13-cv-917 (GBL), 2014 WL 3887797 (E.D. Va. Aug. 7, 2014), where the mere availability of information on the internet–even without evidence of third party viewing–constituted a publication).
Gregory D. Podolak is with Saxe Doernberger & Vita, P.C., Hamden, CT.
Keywords: insurance, cyber coverage, Connecticut, Recall Total Information Management, IBM