The Connecticut Appellate Court Limits CGL Coverage For Electronic Data Breaches
January 21, 2014
Last week the Connecticut Appellate Court concluded that a Commercial General Liability ("CGL") policy will not provide coverage for more than $6 million in costs incurred in taking steps to protect employees exposed to identity theft when computer tapes containing personal information went missing. In Recall Total Mgmt. v. Federal Ins. Co., AC No. 34716 (Jan. 14, 2014), a cart containing computer tapes of IBM employee information fell out of a truck and IBM immediately took steps to prevent harm from the dissemination of this information. The CGL carriers denied coverage and refused to "defend" the insureds by representing them in negotiations to resolve the claims made by IBM and the transportation company. In affirming the trial court’s grant of summary judgment in favor of the insurers, the Appellate Court construed three significant terms of the policy: the duty to defend, property damage and personal injury.
First, the Appellate Court concluded that the insurers had not breached their duty to defend because no "suit," triggering the insurers’ duty to defend, had been instituted. Based upon "a plain reading of the policy, [it could not] conclude that the term ‘suit’ . . . was meant to encompass the mere negotiations that took place...." In reaching this conclusion, the Court distinguished R.T. Vanderbilt Co. v. Continental Casualty Co., 273 Conn. 448 (2005), where the Connecticut Supreme Court ruled that an environmental administrative action did constitute a "suit" triggering a duty to defend.
Second, the Appellate Court held that the loss was not covered under the property damage provision of the policy because loss of electronic information constitutes intangible property, which was expressly excluded.
Third, the Appellate Court ruled that the loss was not covered under the personal injury provision of the policy – which covers " injury, other than bodily injury … caused by an offense of … electronic, oral, written or other publication of material that … violates a person’s right to privacy" – because there was "nothing in the record suggesting that the information on the tapes was ever accessed by anyone" and none of the policyholder’s employees suffered injury as a result of the tapes being lost. It also rejected the policyholder’s argument that the mere triggering of a notification statute, requiring IBM to take remedial action, could constitute personal injury under the policy.
Click here for a link to the full opinion. Recall stands as a warning to policyholders of the costs and coverage issues associated with data security breaches. Its holding leads to the unfortunate result that CGL coverage may only be available after the lost data harm others, effectively discouraging the implementation of remedial steps to limit or prevent misuse of private information. This is poor public policy which hardly benefits insurers. Perhaps there was no evidence in Recall that the lost information was misused precisely because the policyholder took those remedial measures.
Recall is also a good reminder to review your current policies to ensure you have the proper coverage for your business’ needs. Historically, traditional CGL and property insurers did not respond well to claims of data breach and began adding specialized exclusions to preclude coverage. At least 31 insurers now offer some form of cyber liability coverage as a stand-alone insurance policy. Click on the following link to read The Betterley Report: Cyber/Privacy Insurance Market Survey - 2012, Betterley Risk Consultants, Inc., June 2012. There are three fundamental coverage types: liability for loss or breach of the data, remediation costs to respond to the breach, and coverage for fines and/or penalties imposed by law or regulation. Coverage can be triggered by failure to secure data; loss caused by an employee; acts by persons other than insureds; and loss resulting from the theft or disappearance of private property.
In 2013, NetDiligence reviewed 137 insurance claims submitted under cyber liability insurance policies between 2009 and 2011 and reported that hard costs associated with data breach claims averaged $3.7 million. Click here to read the report. The average defense cost was $582,000 and the average cost to settle was $2.1 million. Id. Of the 140 claims submitted, 88 reported claims payouts, for a total of $84 million. Id. Approximately half (50.4%) was spent on crisis services, 35.6% on legal defense, 12.9% on legal settlements and less than 1% each for PCI and regulatory fines. Id. Lost or stolen laptops/devices were the most frequent cause of loss. Id.
Policyholders who do not want to risk a dispute over whether a data breach claim falls within a CGL, property or other form of insurance coverage can purchase these policies designed specifically to protect against data breaches.
If you have any questions about the information contained in this Alert, please contact Melissa A. Federico at firstname.lastname@example.org, or Marilyn B. Fagelson at email@example.com
or a member of our Insurance Recovery Group.