Monthly Archives: May 2015

IN IBM DATA BREACH CASE, THERE CAN BE NO PUBLICATION WITHOUT ACCESS


This entry was posted by on .

In Recall Total Info. Management, Inc. v. Federal Ins. Co., No. SC 19291, the Connecticut Supreme Court upheld the appellate court’s decision that a data breach suffered by IBM was not covered under general liability policies’ “personal and advertising injury” coverage.

In that case, Recall Total had contracted with IBM to transport off-site and store computer tapes containing the encrypted personal information of current and former IBM employees.  Recall then subcontracted the transportation services to Ex Log.  Ex Log lost the computer tapes when they fell from Ex Log’s truck onto the roadside and were retrieved by an unknown individual.  Importantly, there was no evidence that anyone ever accessed the information on the tapes or that their loss caused injury to any IBM employee.  Nevertheless, IBM spent significant sums of money providing identity theft services and complying with state notification requirements.  IBM sought to recoup its losses from Recall Total and Ex Log.

Recall Total and Ex Log, in turn, sought recovery from their general liability insurers, which had issued general liability policies providing “personal and advertising injury” coverage.  “Personal and advertising injury” was defined in part as ‘‘injury . . . caused by an offense of . . . electronic, oral, written or other publication of material that . . . violates a person’s right of privacy.”  The trial court held that coverage was not implicated by the events, and the appellate court affirmed, see 83 A.3d 664 (Ct. App. Ct. 2014).

The Connecticut Supreme Court affirmed on the basis that there was no alleged “publication.”  In doing so, the court adopted in whole the appellate court’s decision, stating:

Because the Appellate Court’s well reasoned opinion fully addresses the certified issue, it would serve no purpose for us to repeat the discussion contained therein.  We therefore adopt the Appellate Court’s opinion as the proper statement of the issue and the applicable law concerning that issue.

Some may recall that, because there was no evidence that the IBM employees’ PII had been accessed, the appellate court declined to expound upon the meaning of “publication.”  Instead, the court concluded that without access to the information, there was no “publication” under any definition of the term:

Regardless of the precise definition of publication, we believe that access is a necessary prerequisite to the communication or disclosure of personal information. In this regard, the plaintiffs have failed to provide a factual basis that the information on the tapes was ever accessed by anyone.

See 83 A.3d at 672-73.

Further bolstering the court’s conclusion was the fact that the parties had stipulated that none of the IBM employees affected had been injured.  The court stated: “Moreover, because the parties stipulated that none of the IBM employees have suffered injury as a result of the tapes being lost, we are unable to infer that there has been a publication.”  Id. at 673.  (See also The Coverage Inkwell, 1/16/2014.)

Finally, the Connecticut Supreme Court’s holding also affirms the appellate court’s decision that costs incurred from complying with data breach notification statutes do not implicate “personal and advertising injury” coverage.

What this case means: It is very simple.  If there is no evidence of access of, or capability of access of, the information, there is no publication.  This decision especially will be significant the underlying factual context of lost or stolen laptops that contain encrypted corporate data and PII.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights.

EVEN IN THE CYBER WORLD, INTENTIONAL MISCONDUCT IS NOT NEGLIGENCE


This entry was posted by on .

Yesterday, Travelers Prop. Cas. Co. of Amer. v. Federal Recovery Services, Inc., No. 14-170 (D. Utah) determined that no coverage existed under a Technology Errors and Omissions Liability Form found in a cyber insurance policy after the insured data processer had failed to return valuable personal identification information it held on behalf of the information’s owner.  This case is going to get a lot of attention simply because it is the first published decision involving a cyber insurance policy form.  What it shows is that, even in the cyber world, intentional misconduct is not negligence.

The facts of the case are straightforward.  The underlying plaintiff, Global Fitness, owned and operated fitness centers in several states.  As part of its operations, Global Fitness had numerous members who would provide credit card or bank account information through which Global Fitness could bill them (“Member Accounts Data.”).  (Slip. op. at 3.)  Defendants were engaged in the business of providing processing, storage, transmission, and other handling of electronic data for customers.  (Id. at 1.)  Global Fitness entered into a contract with Defendants to process the Member Accounts and transfer the members’ fees to Global Fitness.  (Id. at 3.)

Global Fitness later entered into an asset purchase agreement with L.A. Fitness, which included as part of the sale, the transfer of Global Fitness’s Member Accounts Data.  Global Fitness requested that Defendants return the Member Accounts Data to Global Fitness for inclusion in the asset purchase.  Although Defendants stated that they would cooperate and transfer the data back to Global Fitness, according to the litigation that ensured, they did not.  (Id. at 3-4.)

Defendants produced the Member Accounts Data, but data was missing.  Defendants produced the data in an alternative format that included some, but not all of, the missing information.  (Id. at 4.)  According to the underlying complaint, Defendants did not produce credit card, checking account, and savings account information contained in the Member Accounts Data.  (Id.)  Global Fitness requested this information, and then requested that Defendants transfer the billing information back to Global Fitness.

Nevertheless, the information was not produced.  Instead, according to the underlying complaint, Defendants “withheld the Member Accounts Data until Global Fitness satisfied several vague demands for significant compensation.”  In addition, Defendants “refused to transfer funds it received in servicing the Member Accounts for the past week until all matters were resolved.”

Global Fitness filed a lawsuit, asserting claims against Defendants for conversion, tortious interference, and breach of contract.  An amended complaint further alleged that Defendants purposefully withheld pieces of the Member Accounts Data for payment:

Global Fitness alleged that “[Defendants] withheld the Billing Data unless and until Global Fitness satisfied several demands for significant compensation above and beyond what were provided in the Agreement.”  In addition, Global Fitness alleged that “[Defendants] retained possession of Member Accounts Data, including the Billing Data, which was the property of Global Fitness and was only provided to Paramount pursuant to the terms of the Agreement.”  “[Defendants] willfully interfered with Global Fitness’s property and refused to return Global Fitness’s property without cause or justification.”  “[Defendants] actions deprived Global Fitness of the use of its Member Accounts Data and its monies and threatened its ability to comply with its obligations under the APA with L.A. Fitness.”

(Id. at 4-5.)

The amended complaint asserted that, “[a]s a result of the delay caused by [Defendants’] actions, the purchase price of the APA decreased dramatically,” and Defendants “knowingly harmed Global Fitness’s rights under the APA with L.A. Fitness thereby causing Global Fitness irreparable harm and loss.”  (Id. at 5.)

The insureds purchased a cyber insurance policy with a Network and Information Security Liability Form and a Technology Errors and Omissions Liability Form under which they sought defense coverage.  (Id. at 1-2.)  The insuring agreement stated as follows:

SECTION I – ERRORS AND OMISSIONS LIABILITY COVERAGE

  1. Insuring Agreement

  2. We will pay those sums that the insured must pay as “damages” because of loss to which this insurance applies. The amount we will pay for “damages” is limited as described in Section III- Limits Of Insurance in your CyberFirst General Provisions Form.

  3. This insurance applies to loss only if:

(1) The loss arises out of “your product” provided to others or “your work” provided or performed for others;

(2) The loss is caused by an “errors and omissions wrongful act” committed in the “coverage territory”;

(3) The “errors and omissions wrongful act” was not committed before the Errors and Omissions Retroactive Date shown in the CyberFirst Declarations or after the end of the policy period; and

(4) A claim or “suit” by a person or organization that seeks “damages” because of the loss is first made or brought against any insured . . . .

(Id. at 2.)  Thus, the cyber policy provided coverage for loss caused by an “errors and omissions wrongful act.”  (Id. at 7.)  “Errors and omissions wrongful act” was defined as “any error, omission or negligent act.”  (Id. at 7.)

In the ensuing coverage litigation, the insurer contended that the cyber policy did not apply because the underlying action did not allege damages from an “error, omission or negligent act.”  Instead, the underlying complaints alleged intentional wrongdoing.  (Id.).  The Defendant insureds, on the other hand, contended that defense coverage existed because of the potential that they “may be found liable for an error, omission or negligent act relating to the holding, transferring or storing of data.”  (Id. at 7-.8)  Defendants contended that “Global’s claims that [Defendants] ‘withheld’ the data is broad enough to encompass possible error, omission or negligent act by [Defendants].”  (Id.)

The Utah federal court disagreed with the insureds.  Even in the cyber world, intentional misconduct is not negligence:

While the policy covers errors, omissions, and negligent acts, Global’s claims against Defendants allege far different justifications for the data to be withheld.  Global does not allege that Defendants withheld the data because of an error, omission, or negligence.  Global alleges that Defendants knowingly withheld this information and refused to turn it over until Global met certain demands.  Defendants allegedly did so despite repeated requests from Global to provide the data. Instead of alleging errors, omissions, or negligence, Global alleges knowledge, willfulness, and malice.

(Id. at 8 (emphasis added).)  The court concluded: To trigger Travelers’ duty to defend, there must be allegations in the Global action that sound in negligence. As discussed above, there are no such allegations.”  (Id.)  Therefore, the policy was not implicated and there was no duty to defend.

One cannot argue with that logic.

This entry was posted in Uncategorized.