The Connecticut Appellate Court recently decided a case involving damages from loss of data related to 500,000 IBM employees. The case is entitled IMB caseRecall Total Information Management v. Federal Insurance Company. The loss of data included social security numbers and birth dates. The data was lost in the process of transport for storage. Some 4 years later after the loss, there has been no reported identity theft.
As I have mentioned on this blog many times, data loss events can cause significant damages to a business. In this case, IBM incurred 6 million in expenses to provide identify protection to its employees and to address the breach. The data storage company paid IBM the full amount of its loss. The storage company, and its subcontractor, tried to get insurance coverage for the IBM claim under a commercial general liability policy. Obtaining coverage for a data loss breach under the terms of a commercial general liability could pose several challenges and the results have been inconsistent across difference courts and cases. In this case, the insured party tried the most likely arguments to obtain coverage, but the insurance company denied it.
The litigation that ensured concerned whether the insurance company properly denied coverage. The trial court agreed that it was proper to deny coverage. On appeal, one of the issues concerned the nature of data loss and whether it triggered coverage under the policy for a personal injury. The Appellate Court found that the policy did not provide coverage under the personal injury provisions of the policy. One of the reasons related to the fact that the data was never published to or accessed by anyone. This suggests that the results might have been different had there been dissemination of the data by a thief.
The take away here is that businesses need an annual review of their insurance policies to specifically address the types of exposure they face. A commercial general liability policy may not cover every circumstance. In the case of data loss, security breaches, or technology errors, there are specific policies designed to cover these risks. Seeking coverage for data loss claims under a standard commercial liability policy likely will be problematic, and may result in no coverage as highlighted by this recent case.