I often advise clients on security incidents involving the loss of a portable device that contains personally identifiable information. We frequently have a conversation about what to do if a device is misplaced but there is no evidence that it is in the hands of a wrongdoer or that the data on the device have even been accessed. The law may require companies to notify individuals of the incident anyway, and often companies want to notify the individuals and take steps to mitigate potential harm. So, substantial costs may be incurred by companies before any suit is filed against them. Does your insurance policy cover those mitigation costs if no lawsuit is ever filed?
Recall Total Information Management, Inc., et al. v Federal Insurance Company, et al., __ Conn. App. ___, 2014 WL 43529 (Conn. App. Ct. Jan 14, 2014) involved a dispute over coverage under the personal injury clause of a commercial general liability policy that arose from the theft of electronic storage tapes when an IBM subcontractor transporting those tapes suffered a traffic incident. The tapes contained personally identifiable information about approximately 500,000 IBM employees and former employees.
In 2003, Recall entered into a contract with IBM where Recall agreed to transport and store various electronic media for IBM. Recall subsequently entered into a subcontract with Executive Logistics (Ex Log) to provide the transportation services. The subcontract required Ex Log to maintain $2 million commercial general liability policy and a $5 million umbrella liability policy naming Recall as an additional insured. Federal Insurance issued those policies.
In February 2007, Ex Log was transporting IBM computer tapes in a van, and a cart containing the tapes fell out of the back of the van. The tapes were removed from the scene by an unknown person and were not recovered. The tapes included social security number, names, and birthdates of 500,000 individuals. IBM took steps to notify the affected individuals, established a call center, and offered a one year credit monitoring service to the individuals potentially impacted by the incident. IBM incurred more than $6 million in expenses for these mitigation measures, and settled with Recall for the full amount of those losses. Recall then sought indemnification from Ex Log, and Ex Log filed claims against its insurance policy. Federal Insurance denied coverage. The plaintiffs brought an action against the insurer claiming breach of an insurance contract. The trial court concluded that the plaintiffs’ losses were not covered under either the property damage or the personal injury provisions of the policy.
On appeal, the plaintiffs argued that the trial court erred in finding that (1) the defendants did not have a duty to defend, and (2) the loss of the tapes did not constitute a personal injury. The Connecticut appeals court ruled against the plaintiffs.
First, the policy at issue provides that the insurer had a right and duty to defend the insured against a suit, but the policy defined a “suit” as a civil proceeding, including arbitration or a dispute resolution proceeding. The plaintiffs claimed that they engaged in negotiations with IBM for over two years and that the insurer failed to defend them in those negotiations. But the appellate court found that those negotiations are not the same as a “suit,” as defined in the policy.
Next, the appellate court addressed whether the trial court erred in its interpretation of the policy. The plaintiffs argued that (1) the loss of the tapes constituted the personal injury as defined by the policy, and (2) the loss of the tapes triggered the remedial provisions of certain state privacy laws, such that personal injury can be presumed. The appellate court disagreed.
The policy defines ‘‘personal injury’’ as: ‘‘injury, other than bodily injury, property damage or advertising injury, caused by an offense of . . . electronic, oral, written or other publication of material that . . . violates a person’s right to privacy.’’ (Emphasis added.) The plaintiffs argued that the information on the tapes was “published” to the thief thereby subjecting the plaintiffs to liability for the cost of notifying the individuals and providing the credit monitoring service. However, the court found no evidence that the information on the tapes had been published to the thieves. There was no evidence that the information on the tapes was ever communicated to anyone, and no evidence that any employee or former employee of IBM was harmed due to any such improper access.
Keep in mind that insurance policies are interpreted by courts in the same manner as contracts. The court will look to the precise language of the policy to determine what is covered. Accordingly, it is critical that companies scrutinize their policies to identify if there are gaps in their coverage.