Happy June – the first day of meteorological summer!
In the last month, both a federal and state court denied coverage for claims relating to an insured’s handling of electronic data. In the first case, a federal court held that there was no coverage under a cyber insurance policy for a claim alleging that the insured had intentionally refused to return electronic financial data. In the second, a state supreme court held that there was no coverage under a general liability policy for a claim alleging that the insured had lost computer tapes storing personal information. Both of these decisions illustrate the importance of the specific language contained in an insurance policy as that language determines the scope and breadth of the coverage actually afforded under that policy.
First, on May 11, 2015, a federal district court held that an insurer did not owe a duty to defend under a cyber insurance policy in connection an underlying lawsuit alleging that the insureds refused to return certain electronic data to a client. See Travelers Prop. & Cas. Co. of America v. Federal Recovery Serv., Inc., Case No. 2:14-CV-170 TS (D. Utah May 11, 2105). In this case, the insureds were in the business of processing and handling electronic data for their clients, including Global Fitness who transferred its members’ credit card and bank account information to the insureds for them to collect monthly membership fees on behalf of Global Fitness. After Global Fitness entered into an asset purchase agreement with a large national fitness center, Global Fitness informed the insureds of the transaction and requested that all member account data be returned. Although the insureds initially agreed to cooperate, they refused to return all of customer data to Global Fitness until it made additional payments to the insureds. After Global Fitness filed a lawsuit against the insureds, they turned to their cyber insurance policy for coverage.
The applicable cyber insurance policy limited coverage to an “errors and omissions wrongful act” which was defined as meaning “any error, omission or negligent act.” Because Global Fitness alleged that the insureds intentionally withheld the customer data, the insurer denied coverage to the insureds. The federal court agreed with the insurer, holding that none of Global Fitness’ allegations involved an error, omission or negligence.
Second, on May 26, 2015, the Connecticut Supreme Court, adopting the Appellate Court’s decision, held that an insured’s general liability policy did not provide coverage for the loss of computer tapes which contained the personal information of current and former IBM employees. See Recall Total Information Management v. Federal Ins. Co., SC19291 (May 26, 2015). In this case, IBM contracted with Recall Total Information Management (Recall) to transport and store the computer tapes. Recall, in turn, subcontracted with another company, Ex Log, to provide transportation services for the tapes. During transport, a cart containing computer tapes fell out of the back of Ex Log’s van near a highway exit ramp and approximately 130 of the tapes were retrieved by an unknown individual. Importantly, there was no evidence that anyone ever accessed the information on the tapes.
IBM spent 0ver $6 million to provide identity theft services ranging from notifying some 500,000 past and present employees to establishing a call center to answer employee questions and providing one year of credit monitoring services. IBM sought reimbursement of these expenses from Recall and eventually entered into a settlement agreement with Recall for the full amount of the loss. Recall sought indemnification from Ex Log and, in turn, Ex Log sought coverage under its general liability and umbrella policy. After Ex Log’s insurers denied coverage, Ex Log signed a promissory note in favor of Recall for the full amount of the settlement and also assigned its rights under the policies to Recall.
Recall filed a lawsuit against Ex Log’s insurers seeking coverage for the $6 million settlement. Ex Log’s general liability policy provided coverage for personal injury caused by the publication of material that violates a person’s right to privacy. Recall maintained that the loss and theft of the computer tapes which contained personal information was “published” to the unknown person who retrieved the tapes. The Connecticut Supreme Court disagreed, holding that personal injury presupposes publication of the personal information on the tapes. Because there was no evidence that the personal information was accessed by anyone, the data was not published precluding personal injury coverage under the policy. The Connecticut Supreme Court also rejected Recall’s argument that, by triggering certain state notification statutes, there has been an invasion of privacy automatically triggering personal injury coverage. By adopting the Appellate Court’s analysis, the Connecticut Supreme Court explained that state notification statutes do not provide a mechanism for an affected person to seek compensation relating to identity theft, rather the statutes require notification to the affected person for that person to protect themselves against potential harm. As such, the court held that triggering the requirements of a notification statute is not a “substitute” for personal injury under the policy.
Both of these decisions illustrate the need for a company to evaluate its exposure for privacy and security risks and confirm that those exposures are indeed covered under its insurance program. By performing such an analysis, companies can confirm – before a loss happens – that they have the proper coverage in place for their business.