Conn. court says insurer doesn't have to pay in IBM data breach case

IBM isn't a party to the long-running court battle; it has already settled with Recall for $6.4 million. Instead, the fight has been between Recall and insurers over whether it can claim coverage for that payout. For the third time, a Connecticut court has said it cannot.

The state Supreme Court revealed little of its legal rationale in its May 18 per curiam decision. Instead, the justices unanimously agreed to side with Federal Insurance Co. and Scottsdale Insurance Co., which had argued that the commercial general liability insurance policies they issued did not cover the data breach.

"Our examination of the record and briefs and our consideration of the arguments of the parties persuade us that the judgment of the Appellate Court should be affirmed," the decision read. "Because the Appellate Court's well-reasoned opinion fully addresses the certified issue, it would serve no purpose for us to repeat the discussion contained therein. We therefore adopt the Appellate Court's opinion as the proper statement of the issue and the applicable law concerning that issue."

The Appellate Court decision hinged on the fact that there was no proof that the data on the computer tapes had been accessed by anyone who might have recovered them from the highway, and thus the "personal injury" provisions in the policies did not come into play.

Recall was represented by Edmund Kneisel, of Kilpatrick Townsend & Stockton in Atlanta. Kneisel could not immediately be reached for comment. Federal Insurance was defended by Melicent Thompson, of Litchfield Cavo in Simsbury. Thompson declined to comment, as did a spokesman for the insurer. Representing Scottsdale Insurance is Robert Laurie, of Seiger Gfeller Laurie in West Hartford. Laurie could not immediately be reached.

No Publication

Under its contract with Recall, Executive Logistics was required to maintain various insurance policies, including a $2 million commercial general liability policy and a $5 million umbrella liability policy, all naming Recall as an additional insured.

On Feb. 23, 2007, Executive Logistics dispatched a transport van to move computer tapes from an IBM facility in Rye Brook, New York, to another IBM location in Poughkeepsie. During transport, a cart containing the tapes fell out of the back of the van on Interstate 684 in Westchester County. Approximately 130 tapes were removed from the roadside by an unknown person or persons and never recovered. Those tapes contained employment-related data for a half million past and present IBM employees, including Social Security numbers, birthdates and contact information.

After being notified of the lost tapes, IBM immediately notified affected employees. The corporation provided them with one year of credit monitoring to protect against identity theft. IBM claimed a total of more than $6 million in expenses for the mitigation measures and negotiated a settlement with Recall for the full amount.

After that, Recall sought indemnification from Executive Logistics, leading Executive Logistics to file claims for coverage with its insurers, Federal and Scottsdale. In addition to covering property damage, the primary policy stated that it would pay damages for "personal injury," defined as "injury, other than bodily injury, property damage or advertising injury, caused by an offense of … electronic, oral, written or other publication of material that … violates a person's right to privacy." The policy also provided that the insurer had the duty to defend the insured against a "suit" or "other dispute resolution proceeding."

The insurers denied Executive Logistics' claims. Recall then stepped in and brought suit against the two insurance companies, alleging breach of their insurance contract. The insurers filed summary judgment motions, arguing that the plaintiffs' loss was not covered by the policies. Superior Court Judge Marshall Berger, on Hartford's complex litigation docket, agreed, opining that the loss was not covered by either the plaintiff's property damage or personal injury provisions.

With regard to the personal injury provision, the trial court found that because there was no evidence the personal data of the IBM workers had been accessed, there was no evidence of personal injury from invasion of privacy.

Recall appealed to the Connecticut Appellate Court. Its lawyers argued that the data breach was a compensable personal injury under the insurance policy. Specifically, they claimed that because New York and Connecticut statutes required IBM to notify affected employees of the data loss, the triggering of those statutes constituted a presumptive invasion of privacy and personal injury.

Further, the plaintiffs' attorneys claimed the insurance companies had a duty to defend them during the settlement negotiations and therefore they were liable for the full amount of the settlement with IBM. They maintained that settlement negotiations constituted a "suit" or "other dispute resolution proceeding" under the policy.

But in a January 2014 ruling, the appellate judges upheld the trial court's interpretation of the policy. In the written opinion, Judge Douglas Lavine parsed the policy language and stated that since there was no evidence anyone accessed the information on the tapes, there was no "publication" of the data. "The plaintiffs have failed to cite any evidence that the information was published and thereby failed to take their allegation beyond the realm of speculation," Lavine wrote.

Lavine acknowledged that IBM lost more than $6 million in complying with notification statutes about the data breach. "While we do not speculate as to whether these expenditures were required by law, we conclude that they do not constitute a personal injury as defined in the policy," wrote Lavine. "These notification statutes simply do not address or otherwise provide for compensation from identity theft or the increased risk thereof, they merely require notification to an affected person so that he may protect himself from potential harm."

Recall appealed again and asked the state Supreme Court to look at the case, which was argued just last month.

Numerous groups with interest in the digital security issues submitted amicus briefs, including United Policyholders, a nonprofit group that provides information to insurance consumers in all 50 states. The group says this case is of particular importance to commercial policyholders in Connecticut who rely on their commercial general liability insurance policies for invasions of privacy.

"Pandora's box was opened the moment the IBM tapes were lost and taken by the third party," wrote Heather Spaide, of Anderson Kill in Stamford, on behalf of United Policyholders.

Spaide agreed that the information was not published under the normal definition of the word, as it might be in a newspaper, but that in legal terms publication occurred the moment employee information was made available and readable to whoever took the tapes on the roadside. "The unencrypted employee information is no longer safe, no longer secure. Connecticut's definition of 'publication' needs to reflect this reality," she wrote. 

Original article: http://www.ctlawtribune.com/id=1202726922440/Conn-Court-Says-Insurer-Doesnt-Have-to-Pay-in-IBM-Data-Breach-Case#ixzz3acMswUIM