June 18, 2015 Practice Points

CT First Supreme Court to Address CGL Cyber Coverage Debate

The case received attention for its interpretation of “publication” in the personal and advertising injury coverage of a standard CGL insurance policy

by Gregory D. Podolak

The Connecticut Supreme Court recently published its eagerly anticipated decision in Recall Total Info. Mgmt., Inc. v. Fed. Ins. Co. (Recall III), No. 19291, 2015 WL 2371957, at *1 (Conn. May 26, 2015), one of the first decisions of its kind addressing commercial general liability (CGL) coverage for certain types of cyber exposures. The case received attention for its interpretation of “publication” in the personal and advertising injury coverage of a standard CGL insurance policy. The court held the insurers were not required to defend or indemnify the insureds for damages stemming from the loss of computer tapes containing the personal information of approximately half a million IBM employees because even though there was evidence the computer tapes fell into the hands of an unknown third party, there was no publication.

The facts surrounding the Recall case are not what most envision in a groundbreaking cybersecurity case. When one hears of a data breach, the first thought is usually of covert computer hackers or sly social engineers obtaining encryption keys from unsuspecting employees. In this case, the data breach was decidedly more low-tech; it occurred when a cart containing old computer tapes fell out of the back of a transportation vendor’s van. An unknown individual retrieved 130 of these tapes, which contained the names, birth dates, addresses, and social security numbers of about 500,000 present and former IBM employees.

In response, “IBM immediately took steps to prevent the dissemination of the information. On March 30, 2007 and on April 23, 2007, IBM wrote to Recall claiming a total of $6,192,468.30 in expenses—$2,467,245.10 for notifying current and/or former employees, $595,122.00 for maintaining call centers and $3,130,101.20 for credit monitoring services—as a result of the loss of the tapes. Recall entered into a settlement agreement with IBM for the full amount of the loss.” Recall III at *1.

Recall reimbursed IBM and pursued its transportation vendor, Executive Logistics Inc. The two resolved their dispute and pursued Executive’s CGL insurers, which denied the claim, arguing that the “publication of material, in any manner, that violates a person’s right of privacy” coverage under a CGL policy requires a showing of “access,” and because there was no evidence anyone accessed the information on the tapes, there was no “publication.”

Recall sought coverage under the section of its CGL policy that covered “a ‘personal injury,’ which was defined by the policies in relevant part as an ‘injury ... caused by an offense of ... electronic, oral, written or other publication of material that ... violates a person's right of privacy....’” Recall III, at *1.

The insurers denied any duty to defend or indemnify and declined to participate in settlement negotiations for several reasons, most notably that “the claims arise from the preventative measures taken by IBM because of the theft, or loss of use, of the data on the tapes—not the tapes themselves.” Recall Total Info. Mgmt., Inc. v. Fed. Ins. Co. (Recall I), No. X07CV095031734S, 2012 WL 469988, at *5 (Conn. Super. Ct. Jan. 17, 2012). The most important issue to arise out of the case was whether the data being in the hands of a thief was publication or whether the information needed to be disseminated further. The court inRecall I, held that because there was no evidence that the information was accessed, there was no injury to persons and no one’s right to privacy was violated. Id. at *6.

In Recall II, the Connecticut Appellate Court agreed with the insurers, concluding that access is a prerequisite to publication because one must have access to information in order to publish it. The court also reasoned that the facts of Recall did not demonstrate the requisite level of access to the information (as opposed to accessing the information by taking the tapes) and thus there was no publication. The Connecticut Supreme Court went on to adopt the appellate court’s decision.

While this decision limits policyholder access to CGL insurance in Connecticut in similar scenarios (i.e., where the evidence of access to information is lacking), it leaves open the argument that more traditional data breaches, such as those with Target, Home Depot, Anthem, and Sony (another CGL publication dispute that recently settled while arguments were pending before a New York appellate court) would still qualify. These issues will continue to be closely watched as other jurisdictions weigh in. See, e.g.,Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC., No. 1:13-cv-917 (GBL), 2014 WL 3887797 (E.D. Va. Aug. 7, 2014), where the mere availability of information on the internet–even without evidence of third party viewing–constituted a publication).

 

Gregory D. Podolak is with Saxe Doernberger & Vita, P.C., Hamden, CT.

Keywords: insurance, cyber coverage, Connecticut, Recall Total Information Management, IBM


Copyright © 2015, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).