In Recall Total Info. Management, Inc. v. Federal Ins. Co., No. SC 19291, the Connecticut Supreme Court upheld the appellate court’s decision that a data breach suffered by IBM was not covered under general liability policies’ “personal and advertising injury” coverage.
In that case, Recall Total had contracted with IBM to transport off-site and store computer tapes containing the encrypted personal information of current and former IBM employees. Recall then subcontracted the transportation services to Ex Log. Ex Log lost the computer tapes when they fell from Ex Log’s truck onto the roadside and were retrieved by an unknown individual. Importantly, there was no evidence that anyone ever accessed the information on the tapes or that their loss caused injury to any IBM employee. Nevertheless, IBM spent significant sums of money providing identity theft services and complying with state notification requirements. IBM sought to recoup its losses from Recall Total and Ex Log.