IN IBM DATA BREACH CASE, THERE CAN BE NO PUBLICATION WITHOUT ACCESS


This entry was posted by on .

In Recall Total Info. Management, Inc. v. Federal Ins. Co., No. SC 19291, the Connecticut Supreme Court upheld the appellate court’s decision that a data breach suffered by IBM was not covered under general liability policies’ “personal and advertising injury” coverage.

In that case, Recall Total had contracted with IBM to transport off-site and store computer tapes containing the encrypted personal information of current and former IBM employees.  Recall then subcontracted the transportation services to Ex Log.  Ex Log lost the computer tapes when they fell from Ex Log’s truck onto the roadside and were retrieved by an unknown individual.  Importantly, there was no evidence that anyone ever accessed the information on the tapes or that their loss caused injury to any IBM employee.  Nevertheless, IBM spent significant sums of money providing identity theft services and complying with state notification requirements.  IBM sought to recoup its losses from Recall Total and Ex Log.

Recall Total and Ex Log, in turn, sought recovery from their general liability insurers, which had issued general liability policies providing “personal and advertising injury” coverage.  “Personal and advertising injury” was defined in part as ‘‘injury . . . caused by an offense of . . . electronic, oral, written or other publication of material that . . . violates a person’s right of privacy.”  The trial court held that coverage was not implicated by the events, and the appellate court affirmed, see 83 A.3d 664 (Ct. App. Ct. 2014).

The Connecticut Supreme Court affirmed on the basis that there was no alleged “publication.”  In doing so, the court adopted in whole the appellate court’s decision, stating:

Because the Appellate Court’s well reasoned opinion fully addresses the certified issue, it would serve no purpose for us to repeat the discussion contained therein.  We therefore adopt the Appellate Court’s opinion as the proper statement of the issue and the applicable law concerning that issue.

Some may recall that, because there was no evidence that the IBM employees’ PII had been accessed, the appellate court declined to expound upon the meaning of “publication.”  Instead, the court concluded that without access to the information, there was no “publication” under any definition of the term:

Regardless of the precise definition of publication, we believe that access is a necessary prerequisite to the communication or disclosure of personal information. In this regard, the plaintiffs have failed to provide a factual basis that the information on the tapes was ever accessed by anyone.

See 83 A.3d at 672-73.

Further bolstering the court’s conclusion was the fact that the parties had stipulated that none of the IBM employees affected had been injured.  The court stated: “Moreover, because the parties stipulated that none of the IBM employees have suffered injury as a result of the tapes being lost, we are unable to infer that there has been a publication.”  Id. at 673.  (See also The Coverage Inkwell, 1/16/2014.)

Finally, the Connecticut Supreme Court’s holding also affirms the appellate court’s decision that costs incurred from complying with data breach notification statutes do not implicate “personal and advertising injury” coverage.

What this case means: It is very simple.  If there is no evidence of access of, or capability of access of, the information, there is no publication.  This decision especially will be significant the underlying factual context of lost or stolen laptops that contain encrypted corporate data and PII.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights.