Recent Cyber Risk Decisions
Recently reported data breaches and security gaffes have sent many companies scrambling to secure their data against security breaches and to obtain adequate insurance coverage in the event that such a breach occurs. But with few rulings directly addressing policy language in this context, there is a substantial amount of uncertainty as to the scope of coverage for losses associated with lapses in data security.
This Insurance Alert addresses two recent decisions on the subject. The first was recently issued by a federal district court in Utah that involved claims that failed to trigger coverage under a cyber liability coverage policy. The second decision discussed below was issued by the Connecticut Supreme Court and involved a data breach claim that did not trigger coverage under a commercial general liability ("CGL") policy.
In Travelers Property Casualty Co. of America v. Federal Recovery Services, Inc., No. 14-CV-170, 2015 WL 2201797 (D. Utah May 11, 2015), Travelers had issued a “CyberFirst” liability policy to Global Fitness Holdings, LLC (“Global Fitness”). Global Fitness owned and operated fitness centers in several states across the country, and had entered into an agreement with Federal Recovery Acceptance, Inc. (“FRA”), under which FRA would process credit card and bank account information (“Member Accounts Data”) of Global Fitness’ members and transfer their membership fees to Global Fitness. Global Fitness entered into an Asset Purchase Agreement with L.A Fitness, under which Global Fitness agreed to transfer all of its Member Accounts Data to L.A. Fitness. FRA refused to transfer the Member Account Data until Global Fitness had satisfied several of FRA’s demands for compensation. Global Fitness sued FRA for conversion, tortious interference and breach of contract, seeking injunctive relief, attorney fees and punitive damages. FRA tendered Global Fitness’ lawsuit against it to Travelers, which defended the lawsuit subject to a reservation of rights and commenced a separate action against FRA seeking a declaration that Global Fitness’ lawsuit against FRA did not trigger Traveler’s defense or indemnity obligations under the CyberFirst policy.
The CyberFirst policy provided coverage for loss caused by an “errors and omissions wrongful act.” “Errors and omissions wrongful act” was defined in the policy as “any error, omission or negligent act.” The district court held that the CyberFirst policy was not triggered by the allegations in Global Fitness’ pleadings:
Global does not allege that [FRA] withheld the data because of an error, omission, or negligence. Global alleges that [FRA] knowingly withheld this information and refused to turn it over until Global met certain demands. [FRA] allegedly did so despite repeated requests from Global to provide the data. Instead of alleging errors, omissions, or negligence, Global alleges knowledge, willfulness, and malice.
Travelers, 2015 WL 2201797, at *4 (footnotes omitted). Since Global Fitness’ pleadings contained no allegations of negligence, but rather only allegations of willful conduct by FRA, Travelers duty to defend had not been triggered under the CyberFirst policy.
In Recall Total Information Management, Inc. v. Federal Ins.Co., No. 19291, 2015 WL 2371957 (Conn. May 26, 2015), the Supreme Court of Connecticut affirmed the appellate court’s judgment (which affirmed the trial court’s grant of summary judgment in favor of the insurance company), adopting “the well reasoned opinion” of the appellate court on the coverage issues in its entirety (appellate opinion reported at 147 Conn. App. 450, 83 A3d 664 (Conn. Ct. App. 2014)).
In Recall, Executive Logistics, Inc. (“Ex Log”) had dispatched a van to move computer tapes from an IBM facility in New York to another location. During transport, a cart containing the tapes fell out of the back of the van near a highway exit ramp. Approximately 130 of the tapes were removed from the roadside by an unknown person and never recovered. The unrecovered tapes contained employment-related data for approximately 500,000 IBM employees. The information included social security numbers, birthdates and contact information. After being notified that the tapes had been lost, IBM immediately took steps to prevent harm from any dissemination of the personal information, including notification to potentially affected employees, the establishment of a call center to answer inquiries regarding the loss and the provision of credit monitoring to potential victims for a period of one year. IBM claimed that it incurred more than $6M in expenses in the mitigation efforts that it engaged in, and IBM entered into a negotiated settlement with Recall for the full amount of the loss.
Thereafter, Recall sought indemnification from Ex Log. Ex Log, in turn, sought coverage under its CGL policy, but its claim was denied. Ex Log then settled with Recall, signing a promissory note in favor of Recall for over $6.4M and assigning its rights under its policy to Recall. Coverage litigation with respect to Ex Log’s CGL policy then ensued.
First, the Connecticut appellate court held that the claim did not trigger coverage under the CGL policy because there was no “suit” as defined therein. The policy defined “suit” as “a civil proceeding in which damages, to which this insurance applies are sought . . . [and] includes arbitration or other dispute resolution proceeding . . . to which the insured must submit or does submit with our consent.” Recall argued that it had engaged in nearly two years of settlement negotiations – first with IBM, then with Ex Log – and that such negotiations constituted a “suit” or “other dispute resolution proceeding” under the policy. The appellate court disagreed:
Our Supreme Court has held that “a demand letter from a potential plaintiff in a personal injury action is a claim. Such a demand letter fall short of a suit, broadly defined as ‘an attempt to recover a right or claim through legal action’ . . . because it has no immediate legal effect and therefore cannot be considered legal action.” (Citation omitted; emphasis omitted.) R.T. Vanderbuilt Co. v. Continental Casualty Co., supra, 273 Conn at 469, 870 A.2d 1048.
Recall, 83 A.3d at 671. The appellate court went on to say: “We also share the concern articulated in the trial court’s memorandum of decision: ‘If the [settlement negotiations] [were] found to be an “other dispute resolution proceeding,” every discussion, however informal, between an insured and a third party could be deemed a dispute resolution proceeding.’ We decline to give the word ‘suit’ such an expansive reading so at odds with its usual usage.” Id. Furthermore, the absence of the insurer’s consent to the negotiations took them out of the definition of “suit” in the policy. Id.
Next, the appellate court held that the loss did not fall within the “personal injury” liability coverage provisions of the policy. The policy defined “personal injury” as: “injury, other than bodily injury, property damage or advertising injury, caused by an offense of . . . electronic, oral, written or other publication of material that . . . violates a person’s right to privacy.” Id. at 672 (emphasis added by appellate court). The appellate court concluded that: “plaintiffs have failed to cite to any evidence that the information was published and thereby failed to take their allegation beyond the realm of speculation.” Id. (citation omitted). “Regardless of the precise definition of publication, we believe that access is a necessary prerequisite to the communication or disclosure of personal information. In this regard, the plaintiffs have failed to provide a factual basis that the information on the tapes was ever accessed by anyone.” Id. at 672-73 (footnote omitted).
Finally, the appellate court concluded that the breach notification statutes that required IBM to notify its affected employees of the data loss did not trigger the “personal injury” provisions of the policy, which apply to an offense that violates a person’s right to privacy:
In this case, IBM claims to have suffered a loss of more than $6 million related to the alleged compliance with these notification statutes. While we do not speculate as to whether these expenditures were required by law, we conclude that they do not constitute a personal injury as defined in the policy. These notification statutes simply do not address or otherwise provide for compensation from identity theft or the increased risk thereof, they merely require notification to an affected person so that he may protect himself from potential harm. Accordingly, merely triggering a notification statute is not a substitute for a personal injury.
Id. at 673 (citation omitted).
Arent Fox is well positioned to assist its clients in understanding how the nuances of contract interpretation affect their rights and responsibilities under myriad types of insurance policies, including those that affect data security.
Feel free to contact Elliott Kroll, Jule Rousseau, Michael Cryan, James Westerlind, Andrew Dykes, or Eric Biderman from Arent Fox LLP’s Insurance Practice Group to discuss this decision or these issues further.