Denial of Coverage Under CGL Policy Affirmed by Connecticut Appeals Court in IBM Data Breach

By Jennifer Daniels

I often advise clients on security incidents involving the loss of a portable device that contains personally identifiable information.  We frequently have a conversation about what to do if a device is misplaced but there is no evidence that it is in the hands of a wrongdoer or that the data on the device have even been accessed.  The law may require companies to notify individuals of the incident anyway, and often companies want to notify the individuals and take steps to mitigate potential harm.  So, substantial costs may be incurred by companies before any suit is filed against them.  Does your insurance policy cover those mitigation costs if no lawsuit is ever filed?

Recall Total Information Management, Inc., et al. v Federal Insurance Company, et al., __ Conn. App. ___, 2014 WL 43529 (Conn. App. Ct. Jan 14, 2014) involved a dispute over coverage under the personal injury clause of a commercial general liability policy that arose from the theft of electronic storage tapes when an IBM subcontractor transporting those tapes suffered a traffic incident.  The tapes contained personally identifiable information about approximately 500,000 IBM employees and former employees.

In 2003, Recall entered into a contract with IBM where Recall agreed to transport and store various electronic media for IBM.  Recall subsequently entered into a subcontract with Executive Logistics (Ex Log) to provide the transportation services.  The subcontract required Ex Log to maintain $2 million commercial general liability policy and a $5 million umbrella liability policy naming Recall as an additional insured.  Federal Insurance issued those policies.

In February 2007, Ex Log was transporting IBM computer tapes in a van, and a cart containing the tapes fell out of the back of the van.  The tapes were removed from the scene by an unknown person and were not recovered.  The tapes included social security number, names, and birthdates of 500,000 individuals.  IBM took steps to notify the affected individuals, established a call center, and offered a one year credit monitoring service to the individuals potentially impacted by the incident.  IBM incurred more than $6 million in expenses for these mitigation measures, and settled with Recall for the full amount of those losses. Recall then sought indemnification from Ex Log, and Ex Log filed claims against its insurance policy.  Federal Insurance denied coverage.  The plaintiffs brought an action against the insurer claiming breach of an insurance contract.  The trial court concluded that the plaintiffs’ losses were not covered under either the property damage or the personal injury provisions of the policy.

On appeal, the plaintiffs argued that the trial court erred in finding that (1) the defendants did not have a duty to defend, and (2) the loss of the tapes did not constitute a personal injury.  The Connecticut appeals court ruled against the plaintiffs.

First, the policy at issue provides that the insurer had a right and duty to defend the insured against a suit, but the policy defined a “suit” as a civil proceeding, including arbitration or a dispute resolution proceeding.  The plaintiffs claimed that they engaged in negotiations with IBM for over two years and that the insurer failed to defend them in those negotiations.  But the appellate court found that those negotiations are not the same as a “suit,” as defined in the policy.

Next, the appellate court addressed whether the trial court erred in its interpretation of the policy.  The plaintiffs argued that (1) the loss of the tapes constituted the personal injury as defined by the policy, and (2) the loss of the tapes triggered the remedial provisions of certain state privacy laws, such that personal injury can be presumed.  The appellate court disagreed.

The policy defines ‘‘personal injury’’ as: ‘‘injury, other than bodily injury, property damage or advertising injury, caused by an offense of . . . electronic, oral, written or other publication of material that . . . violates a person’s right to privacy.’’ (Emphasis added.)  The plaintiffs argued that the information on the tapes was “published” to the thief thereby subjecting the plaintiffs to liability for the cost of notifying the individuals and providing the credit monitoring service.  However, the court found no evidence that the information on the tapes had been published to the thieves.  There was no evidence that the information on the tapes was ever communicated to anyone, and no evidence that any employee or former employee of IBM was harmed due to any such improper access.

Keep in mind that insurance policies are interpreted by courts in the same manner as contracts.  The court will look to the precise language of the policy to determine what is covered.  Accordingly, it is critical that companies scrutinize their policies to identify if there are gaps in their coverage.

Does Obamacare Create a Hackers Pot of Gold?

By Steven Caponi

Adding to the controversy surrounding the Affordable Care Act, aka Obamacare, is a new 253-page Obamacare rule that requires state, federal, local agencies, and health insurers to share protected health information (“PHI”) on any individual seeking to join the new “healthcare exchanges.”  PHI includes individual medical histories, test and laboratory results, insurance information, and other personal health-related data.

Although PHI is already protected by various federal laws, the new Obamacare rule allows agencies to trade information in order to verify that applicants are receiving the appropriate level of health insurance coverage from the healthcare exchanges.  The ruling, however, does not require that applicants pre-approve the release of their PHI.  In fact, the Department of Health and Human Services already allows the exchange of some PHI without an individual’s pre-approval, especially when it’s for a “government program providing public benefits.”  Officials state that the swapping of information is simply meant to help determine the best insurance coverage for every Obamacare user.

If enacted as written, the new Obamacare rule will result in the creation of one of the largest collections of personal data in U.S. history whereby information will be managed and shared between numerous federal, state, and local governments.  This repository will undoubtedly be an irresistible “pot of gold” for every hacker and identity thief on the planet.

Nish Bhalla, CEO of Security Compass, is an ethical hacker specializing in web security for Fortune 500s, major banks, and well-known technology companies.  Drawing on his unique perspective, Bhalla noted that, “Typically, state governments do not have the same level of resources as the federal government when it comes to cybersecurity.  In fact, a recent study by Deloitte-NASCIO found that only 24 percent of state chief information security officers are confident they can thwart hack attacks.”

Speculating on how the vulnerable exchanges could be exploited, Bhalla believes we will “see a standard crop of web-based attacks directly targeting the state exchanges and federal data hub.  We’re also sure to see a lot of spam, phishing, and ‘waterholing’ attacks that target consumers.”  Aside from direct attacks on the exchanges themselves, hackers will seek softer targets, such as public computer terminals (i.e., libraries, schools, unions, small business associations, etc.) that will be made available for people to enroll in an exchange.  Other vulnerable targets include various “navigator” companies responsible for helping people enroll online.

While the healthcare exchanges have conducted security audits, the testing has not been as rigorous as one might expect given the amount of PHI at risk.  As with many aspects of Obamacare, security testing appears to have been rushed in order to meet specific deadlines.   Numerous news stories have already reported on the “glitches” with Obamacare’s online enrollment portal, surmising the evident conclusion that rushing any large project is likely to result in errors.

While it’s too soon to determine how secure our PHI will be in the hands of various government agencies, we do know that hackers will be unable to resist the temptation to grab at such low-hanging fruit.