The Connecticut Supreme Court’s ruling that an IBM Corp. contractor isn’t insured for $6 million in losses stemming from a traffic mishap that exposed IBM employees’ personal information gives insurers stronger footing to argue against coverage for data breaches, but the peculiar facts of the case could limit the decision’s effects, attorneys say.
In a closely watched case, the Connecticut high court unanimously found Monday that Federal Insurance Co. and Scottsdale Insurance Co. don’t have to cover losses stemming from a data breach that occurred when a cart holding computer tapes with IBM employees’ sensitive information fell out of the back of a transportation contractor’s van near a highway exit ramp.
About 130 of the tapes, which contained the Social Security numbers, birth dates and contact information of 500,000 past and present IBM workers, were taken from the roadside by an unknown person.
The case garnered extensive attention from both policyholder and insurer-side attorneys, as it was one of the first matters dealing with data breach coverage issues under commercial general liability policies to yield appellate-level authority.
The Connecticut high court adopted the decision of a state appellate court, which held that IBM contractor Recall Total Information Management Inc., now known as Recall Holdings Ltd., and subcontractor Executive Logistics Inc. hadn’t triggered a section of the relevant policies providing coverage for injuries caused through the publication of material that violates a person’s right to privacy.
Policyholder attorneys said the ruling’s reach will be limited by the circumstances of the underlying incident and other factors.
“Here, the data breach was atypical,” said Sherilyn Pastor, practice group leader of McCarter & English LLP’s insurance coverage group. “There was no third-party hacker, no one intentionally seizing another’s data, no one identified as having obtained the lost data, and no private information accessed, used, stolen, distributed, or disclosed.”