According to Identify Theft Resource Center (ITRC), a non-profit national organization providing consumer and victim support and public education on identify theft, as of the end of July 2015, there have been a total of 450 breaches identified and more than 135,000,000 records exposed. As consumers, most of us at one time or another have received an email or correspondence from a company informing us that a breach has occurred and that our information may have been stolen. At that time you are left panicking, trying to ensure that no “new” charges have appeared on your account, closing that account and all associated accounts, and potentially even looking into an identity theft security company to ensure you are protected. If in fact your information has been stolen, you may be seeking retribution from the company that was breached.
Companies having a serious data breach have been sued under a variety of legal theories. Allegations of negligence, breach of fiduciary duty, and breach of contract are common. Some recent cases have even argued that data breaches are subject to strict liability.
Negligence, the most common allegation, is typically defined in terms of a failure to use reasonable care or doing something a reasonably prudent person would not do. Breach of fiduciary duty, meanwhile, is a failure to fulfill an obligation to act in the best interest of another party. Plaintiffs may claim that federal privacy laws, such as the ones embedded in HIPAA, and state consumer protection laws create fiduciary duties that are breached when data is lost or stolen. Breach of contract claims are based on the failure to fulfill a condition of a contract. In most instances, Plaintiffs claim the Defendant company's written privacy policy is a contract or that state consumer protection laws create an implied contract.
Settlements of data breach class actions can be substantial. For example, ChoicePoint agreed to pay $10 million to settle a lawsuit over the 2004 theft of 163,000 personal information records by identify thieves. In cases involving stolen credit card information, credit card companies may sue the retailer or processing company that experienced the breach. Heartland Payment Systems, for example, agreed to settlements of up to $60 million with Visa, $41 million with MasterCard, $5 million with Discover, and $3.6 million with American Express following the 2008 theft of 130 million credit card records.
For these companies at which a data breach occurred, what protections are they afforded? Is there coverage for a personal and advertising injury in commercial general liability policies when there has been a cyber-attack and data breach when it is unclear that information was accessed by hackers or further disseminated to the public or the cyber black market? This question was answered by the Connecticut Supreme Court recently in the case of Recall Total Information Management, Inc. v. Federal Ins. Co. In this case, Recall had a contract with IBM requiring the former to transport and store various electronic media and records. Recall Total subcontracted the transportation of IBM’s records to its co-plaintiff, Executive Logistics Inc. The data breach occurred when, during transport, a cart containing IBM’s data fell from the back of Executive Logistics’ transport van. Before the cart could be retrieved, 130 tapes of data were removed by an unknown person and never recovered.
IBM made a demand on Recall Total for all of the expenses incurred addressing the data breach. Recall Total, as an additional insured on Executive Logistics’ commercial general liability policy, notified the insurers that issued the primary and umbrella policies (which provided coverage for personal injuries from invasion of privacy), but those insurers denied coverage and refused to participate. When coverage was denied, Recall filed suit against the insurance companies claiming, among other things, breach of contract.
The trial court ruled that no coverage existed for the data breach losses, reasoning that there was no evidence that the lost data on the tapes had actually been accessed. Both the Appellate Court and Supreme Court of Connecticut upheld the trial court’s ruling that without any allegation or evidence of publication of the information there was no indication of personal injury from an invasion of privacy that would trigger coverage under the policy.
The holding in Recall Total is distinguishable from many data breach cases because there was no evidence that the information on the IBM tapes had been accessed, and therefore the court held that there was no publication. In most data breach cases, however, there is at least some evidence that someone accessed the stolen data, either by means of hacking or the assistance of an inside employee. Thus, for many cases, Recall Total is arguably distinguishable on its facts. However, what was made clear by the Connecticut Supreme Court is that if there is no evidence of actual access to the information or capability to access the information, there is no publication and a company will not be able to turn to its insurance policies to help cover any losses that may occur in attempting to rectify or mitigate the damages caused by the theft of data.
