Connecticut Court Declines to Open New Door to Coverage in Data Breach Cases

Intellectual Property   |   March 31, 2014
Download Download   
Share Share Page

Massive data breaches, now commonplace, often prompt alarm. But the danger they represent—unauthorized use of confidential information—does not always follow straightforwardly. Nonetheless, a growing body of law requires companies affected by data breaches to take prophylactic measures. The cost and publicity of these measures can represent a significant loss, even if no identity theft ever occurs. When these indirect consequences of data breaches interact with the language of traditional insurance coverage provisions, problems can arise. In January 2014, in Recall Total Information Management v. Federal Ins. Co., the Connecticut Appellate Court rejected several novel arguments about injuries of this type that could have broadly redefined the nature of "personal injury."

Recall Total was responsible for storing and transporting data on various electronic media for IBM. In February 2007, approximately 130 electronic tapes containing confidential information of about 500,000 present and former IBM employees fell from the back of a van belonging to Recall Total’s subcontractor. The tapes were never recovered. IBM took immediate security precautions, such as notifying the affected employees and offering them identity theft protection. Recall Total later agreed to pay IBM more than $6 million to cover the costs of those mitigation measures. None of the individuals whose data was lost reported any injury as a result of the incident.

Recall Total was an additional insured under its subcontractor’s commercial general liability policy. The policy required the insurers to provide Recall Total with a defense against certain kinds of "suit," which was defined to include a "dispute resolution proceeding ... to which the insured … submit[s] with our consent." Recall Total argued that its nearly two years of negotiations, first with IBM and then its subcontractor, constituted either a "suit" or such a "proceeding." The Court rejected the argument, making clear that the duty to defend is not triggered by "every discussion, however informal." The Court added that, in any event, defendants did not consent to the negotiations.

Plaintiffs also argued that Recall Total’s payment to IBM was covered under the personal injury provision of the policy. "Personal injury" was defined to include "injury caused by an offense of … publication that … violates a person’s right to privacy." Plaintiffs contended that private data had been "published," in that it was communicated to the unknown person or persons who removed the tapes from the place at which they were lost. The Court noted, however, that there was no evidence that anyone actually accessed the information contained on the tapes: no instance of unauthorized use had been reported, and, further, the tapes could not be read by a personal computer.

Plaintiffs also argued that IBM’s notice to its affected employees had been mandated by certain state privacy statutes, and that the triggering of those statutory obligations therefore constituted "presumptive invasions of privacy." Plaintiffs argued, in other words, that the statute created a new type of "personal injury" that could be implied by law into the policies. The Court declined to do so, noting that the statutes "do not address … identity theft or the increased risk thereof … [but] merely require notification to an affected person so that he may protect himself from potential harm." The trial court’s award of summary judgment to the insurers was affirmed.

©2022 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.

Subscribe to Publications


The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.