Wiley Rein Files Amicus Brief Successfully Urging Connecticut Supreme Court to Uphold Coverage Denial in IBM Data Breach Case

May 20, 2015

Wiley Rein represented three leading trade associations of property and casualty insurers as amici curiae in urging Connecticut’s highest court to uphold a lower court ruling that denied commercial general liability (CGL) coverage for claims arising from the loss of computer tapes that contained the personal information of about 500,000 current and former IBM employees.

In a unanimous May 18 decision, the Connecticut Supreme Court found that the policyholders’ payment of more than $6 million was not covered by CGL policies issued by Federal Insurance Co. and Scottsdale Insurance Co. The case is Recall Total Information Management Inc. et al. v. Federal Insurance Co. et al.

The data breach occurred in 2007, when the computer tapes fell out of a van operated by a subcontractor of Recall Total—which had a contract with IBM to transport the tapes. An unknown individual retrieved about 130 of the tapes from the roadside, but there was no evidence that anyone ever accessed the data or that the loss of the tapes caused injury to any IBM employee. As reported byLaw360, the Connecticut Supreme Court found that the contractors hadn’t triggered a section of the relevant policies providing coverage for injuries caused through the publication of material that violates a person’s right to privacy.

The ruling echoed points that Wiley Rein had advanced in an amici curiae brief on behalf of the American Insurance Association (AIA), the Complex Insurance Claims Litigation Association (CICLA) and the Property Casualty Insurance Association of America. A team led by Laura A. Foggan, chair of Wiley Rein’s Insurance Appellate Group, had authored the brief in support of Federal Insurance and Scottsdale Insurance.

“This is a significant precedent in which the Connecticut Supreme Court recognized the limits of CGL coverage with respect to data breach claims after being fully briefed by the parties and multiple amici on both sides,” Ms. Foggan said of the ruling in an interview with Law360.

She added that despite the unusual facts of the case, the decision translates to other data breach scenarios. Data breach cases may involve exposure of computer tapes or even hard copy documents, as well as electronic systems.  “This case involved the loss and theft of information akin to what we see when we usually talk about privacy or data breach claims,” Ms. Foggan said. “These cases commonly involve concerns over whether the keeper of the information became a victim of hacking because it didn't adequately protect the information. That same theme is seen in this case.”

Further, the court rejected claims that CGL policies provide coverage for the costs of notifying individuals of a data security breach, explaining that “notification statutes simply do not address or otherwise provide for compensation from identity theft” and  “merely triggering a notification statute is not a substitute for a personal injury.”