Are You Covered? CT Businesses Should Double Check Insurance Coverage for Data Loss

The Connecticut Appellate Court recently decided a case involving damages from loss ofAhhhhhhh!! data related to 500,000 IBM employees.  The case is entitled IMB caseRecall Total Information Management v. Federal Insurance Company.  The loss of data included social security numbers and birth dates. The data was lost in the process of transport for storage.  Some 4 years later after the loss, there has been no reported identity theft. 

As I have mentioned on this blog many times, data loss events can cause significant damages to a business.  In this case, IBM incurred 6 million in expenses to provide identify protection to its employees and to address the breach.  The data storage company paid IBM the full amount of its loss.  The storage company, and its subcontractor, tried to get insurance coverage for the IBM claim under a commercial general liability policy.  Obtaining coverage for a data loss breach under the terms of a commercial general liability could pose several challenges and the results have been inconsistent across difference courts and cases.  In this case, the insured party tried the most likely arguments to obtain coverage, but the insurance company denied it.

The litigation that ensured concerned whether the insurance company properly denied coverage.  The trial court agreed that it was proper to deny coverage. On appeal, one of the issues concerned the nature of data loss and whether it triggered coverage under the policy for a personal injury.  The Appellate Court found that the policy did not provide coverage under the personal injury provisions of the policy.  One of the reasons related to the fact that the data was never published to or accessed by anyone. This suggests that the results might have been different had there been dissemination of the data by a thief.  

 

The take away here is that businesses need an annual review of their insurance policies to specifically address the types of exposure they face.  A commercial general liability policy may not cover every circumstance.  In the case of data loss, security breaches, or technology errors, there are specific policies designed to cover these risks.  Seeking coverage for data loss claims under a standard commercial liability policy likely will be problematic, and may result in no coverage as highlighted by this recent case. 

Will Your Data Loss Be Covered By Insurance?

I always recommend that businesses implement a plan for data loss, security breach, and privacy related to electronically stored information.   As additional protection, I also typically recommend that businesses investigate additional insurance coverage.  In particular, business owners with risk should investigate insurance coverage for first and third party claims arising out of a loss of data, security breach, or technology errors.  These insurance plans are sometimes referred to as cyber liability or technology errors insurance.  I have posted about these insurance plans in the past.

By obtaining the proper data loss insurance coverage, a business should be able to make an insurance claim for its own losses and, at the same time, have protection from lawsuits following a data loss incident.  However, after reading a recent article by  Jaikumar Vijayan from Computerworld.com,  I suppose the critical words here are "should" and "proper" as it relates to insurance coverage for a data loss incident.    

Jaikumar wrote an article about a Colorado insurance company that filed a lawsuit to deny responsibility for the University of Utah’s 2008 security breach and data loss totaling $3.3 million in costs.  Colorado Casualty Insurance filed a declaratory judgment lawsuit in the United States District Court of Utah  (Download complaint here). 

The University of Utah utilized a third party vendor, Perpetual Storage, Inc.,  for data storage concerning data on 1.7 million patients over 16 years at university hospitals and clinics.   According to the lawsuit, the University of Utah incurred 3.3 million in costs to remedy the security breach and made a claim for reimbursement to Perpetual Storage.  In turn, Perpetual Storage referred the matter to Colorado Casualty, its liability insurer. 

In response to Perpetual Storage’s claim, Colorado Casualty filed the lawsuit seeking a ruling that it did not have to provide Perpetual Storage with a defense to any claims brought by the University or reimburse the University for its damages. Perpetual Storage filed a motion to dismiss the complaint claiming that Colorado Casualty did not plead specific facts or mention particular insurance policy provisions.  At this point, the outcome of the lawsuit is not clear.

The takeaway here for Connecticut business owners is that not every insurance plan will provide the proper coverage for a data loss, security breach, or technology errors.  Whether Perpetual Storage had the "proper" coverage in place is not clear as the specific policies were not referenced in the lawsuit or the motion to dismiss.  Nevertheless, the lawsuit serves as a reminder that business owners need to make sure the proper insurance coverages are in place.  Do not assume that a general commercial liability policy will cover the specific risks of data loss, security breach, or technology errors.  In fact, in most instances, a general commercial liability policy will not cover such risks.