On May 18, 2015 the Connecticut Supreme Court released an opinion denying a contractor, Recall Total Information Management, Inc. (Recall), and its subcontractor, Executive Logistics Services, LLC (Executive Logistics), insurance coverage for liabilities stemming from a breach caused by the subcontractor’s loss of computer backup tapes. The tapes included the social security numbers of past and present employees of Recall’s customer IBM. Recall Total Information Management, Inc.,et al. v. Federal Insurance Company et al. The Connecticut Supreme Court affirmed the grant of summary judgment in favor of the defendant insurers.
IBM had contracted with Recall for Recall to store and transport certain electronic media for IBM. Recall subcontracted those duties to Executive Logistics. While Executive Logistics was transporting computer tapes from an IBM facility to another location in a van, 130 tapes containing personal information for 500,000 past and present IBM employees literally fell off the van. Executive Logistics never recovered the tapes. But there was no evidence that anyone ever accessed the information about the IBM employees.
IBM incurred expenses of $6 million responding to the breach. IBM negotiated a settlement with Recall pursuant to which Recall reimbursed IBM for the full amount of the breach. Recall entered into a settlement agreement with Executive Logistics to cover the amount of the liabilities owed to IBM. Executive Logistics had notified its insurers of the negotiations with IBM. But the insurers refused to defend Executive Logistics or Recall in such negotiations under the Executive Logistics commercial general liability policy or the commercial liability umbrella policy. Further, the insurers did not indemnify Recall or Executive Logistics for the costs because they claimed that the policies did not cover these losses.
In a decision adopted and affirmed by the Supreme Court, the Connecticut appellate court held that (1) the insurers did not have a duty to defend because the negotiations with IBM did not constitute a lawsuit or other event that triggered a defense obligation under the insurance policies; and (2) the IBM losses were not covered damages arising from a personal injury because there was no evidence that the information was ever published to any third party. The decisive factor for the appellate court to conclude that the policies did not cover the losses was the lack of evidence “that the personal information actually was accessed.”
Although the legal obligations arising from either a breach caused by a hacker or the inadvertent loss of media containing sensitive information may be the same, the Recall case illustrates that insurance coverage may differ. In the case of a breach by a hacker, investigators may be able to tell whether the hacker accessed sensitive information as a result of the attack, but it may be impossible to make that determination when the breach results from stolen or lost devices. So companies must consider these issues while obtaining insurance coverage to understand what types of liability are covered under an insurance policy. Cyber-liability can cause damage in a variety of different ways, so it is important to understand the risks applicable to an individual business when obtaining any type of cyber-liability insurance.