There have been more developments in the law related to cyber and data breach claims in the last two weeks than in the last year. First, Sony and Zurich settled their coverage dispute [1] that left the lower court’s decision (which was favorable to insurers) untouched. Then, a Federal court in Utah held there was no duty to defend under a cyber policy [2].
Now, there is a decision making it more difficult to claim for damages related to data breaches under CGL policies. On May 18, 2015, the Connecticut Supreme Court affirmed a lower court’s decision in Recall Total Info. Management, Inc. v. Federal Ins. Co. [3], finding there is no insurance coverage for more than $6 million in losses related to the exposure of private information belonging to nearly 500,000 IBM employees.
In Recall Total, the insured sought coverage under its CGL policy when it lost data storage tapes storing its customer’s private information. The tapes fell out of the back of the insured’s van onto the road. It was believed that after falling out of the van, about 130 of the tapes were taken from the side of the road by an unknown person. The CGL policy at issue provided coverage for “personal injury” which included, “publication of material that…violates a person’s right to privacy.”
In analyzing this provision and the facts of this case, the court held first that there was no dispute that the information on the tapes was private, and, second, the threshold was whether the information on the tapes had been “published.” In finding there was no coverage, the lower court held there was no evidence that the information on the tapes had been found or used after the tapes fell off the van. In reviewing the evidence, the Court found, “[t]here is nothing in the record suggesting that the information on the tapes was ever accessed by anyone.” Specifically, the Recall Total lower court decision addressed the personal injury provision in the following manner:
“On the basis of our review of the policy, we conclude that personal injury presupposes publication of the personal information contained on the tapes. Thus, the dispositive issue is not loss of the physical tapes themselves; rather, it is whether the information in them has been published. The plaintiffs contend that the mere loss of the tapes constitutes a publication, and has alleged that the information was published to a thief. The plaintiffs have failed to cite any evidence that the information was published and thereby failed to take their allegation beyond the realm of speculation. See, e.g., Norse Systems, Inc. v. Tingley Systems, Inc., supra, 49 Conn.App. at 591, 715 A.2d 807 (speculation or conjecture will not overcome motion for summary judgment). As the complaint and affidavits are entirely devoid of facts suggesting that the personal information actually was accessed, there has been no publication.”
In its concise decision, the Connecticut Supreme Court said there was no purpose in repeating the discussion in the superior court’s “well-reasoned” January 2014 ruling.
While this decision does not involve a data breach or a classic cyber claim, it provides insight into how a data breach might be viewed from a coverage perspective when there is no evidence that the private or confidential information was actually published to third parties. More importantly, the reasoning of the Recall Total decision is in harmony with the trial court’s decision in Sony’s coverage action against Zurich. In that case, which was settled before the appellate court could render its decision, the New York trial court ruled Zurich had no duty to defend because there was no “publication” under Coverage B of the CGL policy. These two decisions, coupled with the cyber exclusions that are becoming more common in CGL policies, are beginning to fill the void in case law related to these claims.