Cybersecurity Insurance Coverage: Prudent Risk Management for Companies of All Sizes

During transport of the tapes, a cart containing approximately 130 tapes fell out of the back of Ex Log's van near a highway exit ramp and was retrieved by an unknown person. The tapes were never recovered. Importantly, there was no evidence that anyone ever accessed the information on the tapes.

IBM spent over $6 million to provide identity theft services, including notifying its employees, establishing a call center to field questions, and providing one year of credit-monitoring services to those whose information had been lost. Ultimately, IBM sought reimbursement of these expenses from Recall and entered into a settlement agreement for the full amount of the loss. Subsequently, Recall sought reimbursement and indemnification from Ex Log. Both Recall and Ex Log provided notice of the claim to Federal Ins. Co. and Scottsdale Ins. Co. (collectively “Insurers”), which declined to participate or consent to the negotiations. In turn, Ex Log sought coverage under its policies, which the Insurers denied.

Following their denial of coverage, Ex Log signed a promissory note in favor of Recall for the full amount of the settlement and assigned its rights under the policies to Recall. Plaintiffs filed a lawsuit in the Connecticut Superior Court, Recall I, against Insurers seeking coverage for the $6 million settlement. Plaintiffs maintained that Insurers had breached their duty to defend and therefore had waived their coverage defenses. Further, Plaintiffs argued that the CGL policy provided coverage for “personal injury” caused by the “publication” of material that violates a person's right to privacy and that as a result of the loss and theft of the tapes, personal information was “published” to the unknown person who retrieved the tapes. Insurer's filed a motion for summary judgment, denying any duty to defend or indemnify.

The Ruling and the Appeal

The Superior Court granted summary judgment for the Insurers, finding that they did not have a duty to defend and no coverage existed for the data breach under the policies. The court held, in pertinent part, that it was speculative or merely conjecture as to whether the thief or hacker even accessed the data and, as such, there was no publication of data triggering coverage under the policies. Thus, without publication, there was no “personal injury” as defined under the policy and no one's right to privacy was violated. On the plaintiffs' appeal, in Recall Total Info. Mgmt., Inc. v. Fed. Ins. Co. (“Recall II“), 147 Conn. App. 450 (2014), the appellate court of Connecticut affirmed the trial court's decision, that no duty to defend existed and that evidence of access was an essential prerequisite for publication.

Later, in May 2015, on the Plaintiffs' further appeal in Recall III, the Connecticut Supreme Court affirmed the appellate decision failing to offer any additional reasoning of its own, noting that “the Appellate Court's well reasoned opinion fully addresses the certified issue, [and] it would serve no purpose for us to repeat the discussion contained therein. We therefore adopt the Appellate Court's opinion as the proper statement of the issue and the applicable law concerning the issue.” Recall III, 317 Conn., at 51.

With respect to the Plaintiffs' duty-to-defend argument, the supreme court reaffirmed the appellate court's holding that Insurers did not breach their duty to defend the Plaintiffs in settlement negotiations because no “suit” had been instituted, highlighting that settlement negotiations did not constitute a “suit” or “other dispute resolution proceeding,” which, pursuant to the policy, would have trigged the insurer's duty to defend.” Recall II, 147 Conn. App., at 457-61. The policies provided that the Insurers had a duty to defend a “suit,” defined as a “civil proceeding in which damages, to which this insurance applies are sought ' [and] includes arbitration or other dispute resolution proceeding ' to which the insured must submit or does submit with our consent.” Id. at 458.

The Appellate Court's Reasoning

In finding that the Insurers did not have a duty to defend, the appellate court reasoned that the plain reading of the term “suit” within the policy was unambiguous and did not encompass settlement negotiations, including the nearly two years of settlement negotiations, as such an interpretation would require the “merg[ing of] the term 'claim' with 'suit.'” Recall II, 147 Conn. App., at 460. The court noted that the Connecticut Supreme Court previously held that a “suit” and a “claim” were distinct mechanisms from one another, finding that a claim and a demand from a potential personal injury plaintiff could be considered one and the same, while such a demand could not be considered a “suit” as a demand has no “immediate legal effect and therefore cannot be considered legal action.” Recall I, 147 Conn. App., at 460 (citing R.T. Vanderbilt Co. v. Continental Casualty Co., 273 Conn. 448, 469 (2005)). Thus, to construe a “suit” to include negotiations, and nothing more, would blur or “obliterate the distinction between suit and claim.” Id. at 460 (internal citations omitted).

Additionally, the appellate court explained that such settlement negotiations could not be considered an “other dispute resolution proceeding” within the policy's definition of suit because every discussion between an insured and insurer, no matter how formal or informal, could be viewed as an “other dispute resolution proceeding.” Id. Moreover, the appellate court reasoned, that even if “other dispute resolution proceeding[s]” could be construed to include mere negotiations, the policy required the “ insured ' submit ' with [the Insurer's] consent” to the proceeding. Id. Since the Insurers clearly declined to participate and did not consent to the negotiations, no duty to defend was triggered under the policy and thus, the Insurers did not waive their coverage defenses.

Beyond finding no duty to defend, the supreme court reaffirmed the appellate court's holding that the loss of tapes did not constitute a “personal injury” under the CGL policy because there had been no “publication” of the personal information stored on the tapes, which violated any person's right to privacy. Recall III, 317 Conn., at 50-51. In their complaint, the Plaintiffs alleged that “[b]y virtue of the loss and theft of the IBM tapes ' the personal information that was stored on the tapes, including social security information and other private data, has been published to the thief and/or other persons unknown ' thereby subjecting [the plaintiffs] to potential claims and liability ' including liability for the cost of notifying the persons whose data was lost and for providing credit monitoring services to persons who requested it.” Recall II, 147 Conn. App., at 462. The CGL policy provision that plaintiffs argued should apply to the claim read: “[w]e will pay damages that the insured becomes legally obligated to pay by reason of liability: imposed by law; or assumed in an insured contract; for advertising injury or personal injury to which this coverage applies,” where the policy defined “personal injury” as “injury, other than bodily injury, property damage or advertising injury, caused by an offense of ' electronic, oral, written or other publication of material that ' violates a person's right to privacy.” Id. at 462.

In ruling that no coverage existed under the personal injury provision, the appellate court concluded that “the dispositive issue is not loss of the physical tapes themselves; rather, it is whether the information on the tapes has been published.” Recall II, 147 Conn. App., at 462. Indeed, the appellate court rejected plaintiffs' argument that the mere loss of the tapes constituted a publication, where plaintiffs failed to cite any evidence or otherwise provide a factual basis that the information on the tapes was ever accessed by anyone, including the thief. Id. at 462-64. Adopting the trial court's definition of publication, which is the definition that Connecticut courts use in the context of defamation claims, the appellate court held that publication required communication “to a third party.” Significantly, it further held that regardless of the precise definition of publication, “access is a necessary prerequisite to the communication or disclosure of personal information.” Recall II, 147 Conn. App., at 463.

Since no IBM employees suffered any injury as a result of the lost tapes, the appellate court was “unable to infer that there ha[d] been a publication,” and therefore, the settlement Recall reached with IBM was not covered under the policy's personal injury provision. Id. at 463-64. Plaintiffs additionally argued that coverage existed under the personal injury provision for payments made pursuant to two statutes that required certain action for the compromise of personal information, but the appellate court held that merely triggering a notification statute is not a substitute for a personal injury, and therefore the Plaintiffs were still precluded from coverage.

Analysis

As mentioned above, many waited with bated breath for the supreme court's ruling in Recall III, hoping that the decision would provide some guidance in an area lacking much direction; however, it is questionable whether the highly anticipated holding will prove useful, with respect to both insurers and insureds alike. While insureds should heed the supreme court's affirmation of the appellate court's ruling as an indication that not all data breaches will necessarily be covered under a personal or advertising injury provision of a CGL policy, insurers should also note that the decision does not on its face exclude all data breaches from CGL policy coverage. Recall III involved factual circumstances that made the case unique, and arguably, not a case concerning data breach. In Recall III,' there was no evidence “hacking” or “pirating” was involved, or that the lost tapes were ever accessed by a third party. Where data breaches typically involve a person electronically gaining unauthorized access to sensitive information, it is unclear whether a case involving proof that a single hacker accessed, but did not disseminate or otherwise use personal information, will be seen as an invasion of privacy so as to invoke coverage, or whether courts will require actual evidence of dissemination or use to fall within coverage.

Despite the potential for clarification of the terms “access” or “publication,” the supreme court's ruling in Recall III is of limited utility, given its atypical facts. It is clear that the opinion was based largely on the fact that there was no evidence that any information on the tapes was accessed by a third party or even that the information could be accessed, as the tapes could not be opened on a personal computer. See Recall II, 147 Conn. App., at 463-64 (noting the court was “unable to infer that there had been publication” as the parties stipulated that no IBM employee had suffered an injury as a result of the lost tapes); see also Recall I, 2012 Conn. Super. LEXIS, at *24 (explaining the tapes could not be viewed on a personal computer). Indeed, the appellate court, in Recall II, explained that “regardless of the [court's] precise definition of publication ' access [was] a necessary prerequisite to the communication or disclosure of personal information” without any further explanation or definition. See Recall II, 147 Conn. App., at 463. Further, the appellate court made it abundantly clear that there was no question that apart from the theft of the tapes, actual access of the information on the tapes themselves had not occurred. Again, this is a critical difference between the Recall cases and the majority of data breach cases where it is typically immediately apparent that the relevant information was accessed and/or used for criminal activities.

Moreover, the Recall courts' approach to publication and the requirement of access to information or data may have a limited impact within the larger context of data breach cases, as some courts do not require proof of access in order to satisfy publication. For example, in Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC, where confidential medical records were posted on the Internet, the U.S. District Court for the Eastern District Court of Virginia stated that “publication does not hinge on third-party access” rather “publication occur[red] once [the] information [was] placed before the public” even if there was no evidence that anyone had actually viewed the confidential information. See Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC, 35 F. Supp. 3d 765, 771 (E.D. Va. 2014). While in Zurich Am. Ins. Co. v. Sony Corp. of America, the court analogized the facts to opening Pandora's Box and that by merely breaking into Sony's network, there was publication, regardless of the fact that there was no allegation that the hackers actually “published” the information. See Zurich Am. Ins. Co. v. Sony Corp. of Am., Index Number: 651982/2011 (N.Y. Sup. Ct. Feb. 21, 2014). (It is relevant to note that the court found this publication was not subject to the coverage because it was an act of third-party hackers. Moreover, this case settled in 2015 while an appeal was pending.) Thus, several questions remain with respect to the terms “publication” and “access,” particularly in the context of data breach and storage devices, such as laptops, and cellphones.

Conclusion

Recent reports of data breaches suggest it would be wise for companies not to wait for the courts to clarify issues related to CGL policy coverage, and instead be proactive in procuring a policy that expressly provides coverage for any type of data breach. As of June 2015, 43% of mid-sized business reported that they had experienced a data breach in the past three years, and 13% further reported that a supplier's data breach affected their business information. See 4 of 10 Mid-Sized Firms Have Had Data Breach: Survey (June 26, 2015), Insurance Journal, http://bit.ly/1jM7mEO. Recent data breaches of several big-name businesses further illustrate the potential magnitude of loss resulting from such a breach, and how obtaining specifically tailored coverage can significantly soften the blow. Target and Home Depot incurred $252 million and $43 million in cumulative expenses arising from data breaches, respectively, but those costs were each offset by $90 million and $15 million in insurance compensation, respectively. S ee How Much Do Data Breaches cost Big Companies? Shockingly Little, (March 27, 2015), Fortune.com, http://for.tn/1XYZtJT. The choice for businesses is no longer whether to buy cyber insurance; rather, it is which type of cyber insurance is best for a particular company.

This heightened reality of data breaches and other cyber threats prompted the U.S. Securities and Exchange Commission (“SEC”) to release new cyber-risk guidance to set a standard of mandatory minimums for the management of such risk for SEC registrants. See Securities and Exchange Commission, Division of Corporation Finance, CF Disclosure Guidance: Topic No. 2, Cybersecurity (Oct. 13, 2011), http://1.usa.gov/1lM2PUb. These guidelines create SEC enforcement risk, and further provide for a potential roadmap of liability for plaintiffs to pursue in class action lawsuits arising from data breach. The guidance prescribes that, in determining what it must disclose as a cyber risk, a registrant should evaluate “the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets of sensitive information, corruption of data or operational disruption.” Id. One of the specific factors the SEC cites for consideration is a description of the registrant's relevant insurance coverage.

Inclusion of the cyber insurance factor in the SEC guidance documents reflects the risk arising from relying on traditional insurance policies not expressly written to cover the new types of perils associated with modern data breach, and suggests that businesses would do well to stay abreast of this emerging issue and work with their insurance professionals to make sure they have proper coverage for this evolving threat. Insurers are now commonly inserting electronic data exclusions into their general liability policies, or otherwise including exclusions that revise the definition of “advertising injury” or “personal injury” to exclude injury resulting from a data breach. At the same time, various insurers are underwriting policies expressly tailored to address the risk arising from our new interconnected electronic reality.

Although the facts of Recall are distinguishable from most instances of data breach, the case illustrates that businesses cannot afford to assume that traditional policy wording will cover a cyber risk. Prudent corporate governance should compel businesses to secure and regularly update and assess cybersecurity coverage in order to mitigate the risk of financial burden associated with a breach. To do otherwise necessarily places one's business in a needless state of financial vulnerability that could have easily been avoided by the procurement of appropriate coverage.

Kelly M. Kirby is an associate with the Insurance and Employment Law practice groups in the Hartford office of Gordon & Rees. Delaney M. Busch is also an associate at the firm.

'

SPECIAL OFFER: Get an online subscription to Insurance Coverage Law Bulletin for only $299. Click here, select Digital Only and use promo code ICLBOL299 at checkout. This offer is valid for new subscribers only.

'

The Connecticut Supreme Court recently published the much anticipated decision in Recall Total Info. Mgmt., Inc. v. Fed. Ins. Co. (“Recall III“), 317 Conn. 46 (2015), addressing commercial general liability (“CGL”) coverage for data breach. However, those waiting for expanded guidance from the supreme court with respect to coverage for cyber law and/or cyber exposures were most likely disappointed. The Connecticut Supreme Court fully adopted the appellate court's ground-breaking decision that there is no coverage for a data breach claim involving the theft of tapes containing electronically stored personal information under a CGL policy's “personal injury” coverage provisions because, even though there was evidence the tapes fell into the hands of an unknown third party, there was an absence of evidence that the files were accessed by any third parties.

Background

The facts are relatively straightforward, yet unique when compared with other cases where a data breach occurs as a result of hacking, encryption or pirating. See Recall Total Info. Mgmt., Inc. v. Fed. Ins. Co. (“Recall I“), 2012 Conn. Super. LEXIS 227 (Jan. 17, 2012) (both the Connecticut Appellate and Connecticut Supreme Courts adopted their facts from the Connecticut Superior Court's decision, which are set forth in summary below). In this instance, plaintiff Recall Total (“Recall”) entered into a contract with IBM to transport and store tapes containing electronically stored personal information of 500,000 current and past IBM employees. Recall, in turn, subcontracted with another company, Executive Logistics Services, LLC (“Ex Log”) (and together with Recall, “Plaintiffs”), to provide transportation services for the tapes. These tapes were not encrypted, but “[were] not the type that [could] be read by personal computer.” Recall I, 2012 Conn. Super. LEXIS, at *24. Pursuant to the contract, Ex Log maintained a $2 million CGL policy, a $1 million automobile liability policy, a $2 million fidelity bond/commercial crime policy, a $2 million professional liability policy, and a $5 million umbrella/excess liability policy, all naming Recall as an additional insured. Specifically, Federal Ins. Co. issued the CGL policy and Scottsdale Ins. Co. issued the commercial liability umbrella policy.

During transport of the tapes, a cart containing approximately 130 tapes fell out of the back of Ex Log's van near a highway exit ramp and was retrieved by an unknown person. The tapes were never recovered. Importantly, there was no evidence that anyone ever accessed the information on the tapes.

IBM spent over $6 million to provide identity theft services, including notifying its employees, establishing a call center to field questions, and providing one year of credit-monitoring services to those whose information had been lost. Ultimately, IBM sought reimbursement of these expenses from Recall and entered into a settlement agreement for the full amount of the loss. Subsequently, Recall sought reimbursement and indemnification from Ex Log. Both Recall and Ex Log provided notice of the claim to Federal Ins. Co. and Scottsdale Ins. Co. (collectively “Insurers”), which declined to participate or consent to the negotiations. In turn, Ex Log sought coverage under its policies, which the Insurers denied.

Following their denial of coverage, Ex Log signed a promissory note in favor of Recall for the full amount of the settlement and assigned its rights under the policies to Recall. Plaintiffs filed a lawsuit in the Connecticut Superior Court, Recall I, against Insurers seeking coverage for the $6 million settlement. Plaintiffs maintained that Insurers had breached their duty to defend and therefore had waived their coverage defenses. Further, Plaintiffs argued that the CGL policy provided coverage for “personal injury” caused by the “publication” of material that violates a person's right to privacy and that as a result of the loss and theft of the tapes, personal information was “published” to the unknown person who retrieved the tapes. Insurer's filed a motion for summary judgment, denying any duty to defend or indemnify.

The Ruling and the Appeal

The Superior Court granted summary judgment for the Insurers, finding that they did not have a duty to defend and no coverage existed for the data breach under the policies. The court held, in pertinent part, that it was speculative or merely conjecture as to whether the thief or hacker even accessed the data and, as such, there was no publication of data triggering coverage under the policies. Thus, without publication, there was no “personal injury” as defined under the policy and no one's right to privacy was violated. On the plaintiffs' appeal, in Recall Total Info. Mgmt., Inc. v. Fed. Ins. Co. (“Recall II“), 147 Conn. App. 450 (2014), the appellate court of Connecticut affirmed the trial court's decision, that no duty to defend existed and that evidence of access was an essential prerequisite for publication.

Later, in May 2015, on the Plaintiffs' further appeal in Recall III, the Connecticut Supreme Court affirmed the appellate decision failing to offer any additional reasoning of its own, noting that “the Appellate Court's well reasoned opinion fully addresses the certified issue, [and] it would serve no purpose for us to repeat the discussion contained therein. We therefore adopt the Appellate Court's opinion as the proper statement of the issue and the applicable law concerning the issue.” Recall III, 317 Conn., at 51.

With respect to the Plaintiffs' duty-to-defend argument, the supreme court reaffirmed the appellate court's holding that Insurers did not breach their duty to defend the Plaintiffs in settlement negotiations because no “suit” had been instituted, highlighting that settlement negotiations did not constitute a “suit” or “other dispute resolution proceeding,” which, pursuant to the policy, would have trigged the insurer's duty to defend.” Recall II, 147 Conn. App., at 457-61. The policies provided that the Insurers had a duty to defend a “suit,” defined as a “civil proceeding in which damages, to which this insurance applies are sought ' [and] includes arbitration or other dispute resolution proceeding ' to which the insured must submit or does submit with our consent.” Id. at 458.

The Appellate Court's Reasoning

In finding that the Insurers did not have a duty to defend, the appellate court reasoned that the plain reading of the term “suit” within the policy was unambiguous and did not encompass settlement negotiations, including the nearly two years of settlement negotiations, as such an interpretation would require the “merg[ing of] the term 'claim' with 'suit.'” Recall II, 147 Conn. App., at 460. The court noted that the Connecticut Supreme Court previously held that a “suit” and a “claim” were distinct mechanisms from one another, finding that a claim and a demand from a potential personal injury plaintiff could be considered one and the same, while such a demand could not be considered a “suit” as a demand has no “immediate legal effect and therefore cannot be considered legal action.” Recall I, 147 Conn. App., at 460 (citing R.T. Vanderbilt Co. v. Continental Casualty Co. , 273 Conn. 448, 469 (2005)). Thus, to construe a “suit” to include negotiations, and nothing more, would blur or “obliterate the distinction between suit and claim.” Id. at 460 (internal citations omitted).

Additionally, the appellate court explained that such settlement negotiations could not be considered an “other dispute resolution proceeding” within the policy's definition of suit because every discussion between an insured and insurer, no matter how formal or informal, could be viewed as an “other dispute resolution proceeding.” Id. Moreover, the appellate court reasoned, that even if “other dispute resolution proceeding[s]” could be construed to include mere negotiations, the policy required the “ insured ' submit ' with [the Insurer's] consent” to the proceeding. Id. Since the Insurers clearly declined to participate and did not consent to the negotiations, no duty to defend was triggered under the policy and thus, the Insurers did not waive their coverage defenses.

Beyond finding no duty to defend, the supreme court reaffirmed the appellate court's holding that the loss of tapes did not constitute a “personal injury” under the CGL policy because there had been no “publication” of the personal information stored on the tapes, which violated any person's right to privacy. Recall III, 317 Conn., at 50-51. In their complaint, the Plaintiffs alleged that “[b]y virtue of the loss and theft of the IBM tapes ' the personal information that was stored on the tapes, including social security information and other private data, has been published to the thief and/or other persons unknown ' thereby subjecting [the plaintiffs] to potential claims and liability ' including liability for the cost of notifying the persons whose data was lost and for providing credit monitoring services to persons who requested it.” Recall II, 147 Conn. App., at 462. The CGL policy provision that plaintiffs argued should apply to the claim read: “[w]e will pay damages that the insured becomes legally obligated to pay by reason of liability: imposed by law; or assumed in an insured contract; for advertising injury or personal injury to which this coverage applies,” where the policy defined “personal injury” as “injury, other than bodily injury, property damage or advertising injury, caused by an offense of ' electronic, oral, written or other publication of material that ' violates a person's right to privacy.” Id. at 462.

In ruling that no coverage existed under the personal injury provision, the appellate court concluded that “the dispositive issue is not loss of the physical tapes themselves; rather, it is whether the information on the tapes has been published.” Recall II, 147 Conn. App., at 462. Indeed, the appellate court rejected plaintiffs' argument that the mere loss of the tapes constituted a publication, where plaintiffs failed to cite any evidence or otherwise provide a factual basis that the information on the tapes was ever accessed by anyone, including the thief. Id. at 462-64. Adopting the trial court's definition of publication, which is the definition that Connecticut courts use in the context of defamation claims, the appellate court held that publication required communication “to a third party.” Significantly, it further held that regardless of the precise definition of publication, “access is a necessary prerequisite to the communication or disclosure of personal information.” Recall II, 147 Conn. App., at 463.

Since no IBM employees suffered any injury as a result of the lost tapes, the appellate court was “unable to infer that there ha[d] been a publication,” and therefore, the settlement Recall reached with IBM was not covered under the policy's personal injury provision. Id. at 463-64. Plaintiffs additionally argued that coverage existed under the personal injury provision for payments made pursuant to two statutes that required certain action for the compromise of personal information, but the appellate court held that merely triggering a notification statute is not a substitute for a personal injury, and therefore the Plaintiffs were still precluded from coverage.

Analysis

As mentioned above, many waited with bated breath for the supreme court's ruling in Recall III, hoping that the decision would provide some guidance in an area lacking much direction; however, it is questionable whether the highly anticipated holding will prove useful, with respect to both insurers and insureds alike. While insureds should heed the supreme court's affirmation of the appellate court's ruling as an indication that not all data breaches will necessarily be covered under a personal or advertising injury provision of a CGL policy, insurers should also note that the decision does not on its face exclude all data breaches from CGL policy coverage. Recall III involved factual circumstances that made the case unique, and arguably, not a case concerning data breach. In Recall III,' there was no evidence “hacking” or “pirating” was involved, or that the lost tapes were ever accessed by a third party. Where data breaches typically involve a person electronically gaining unauthorized access to sensitive information, it is unclear whether a case involving proof that a single hacker accessed, but did not disseminate or otherwise use personal information, will be seen as an invasion of privacy so as to invoke coverage, or whether courts will require actual evidence of dissemination or use to fall within coverage.

Despite the potential for clarification of the terms “access” or “publication,” the supreme court's ruling in Recall III is of limited utility, given its atypical facts. It is clear that the opinion was based largely on the fact that there was no evidence that any information on the tapes was accessed by a third party or even that the information could be accessed, as the tapes could not be opened on a personal computer. See Recall II, 147 Conn. App., at 463-64 (noting the court was “unable to infer that there had been publication” as the parties stipulated that no IBM employee had suffered an injury as a result of the lost tapes); see also Recall I, 2012 Conn. Super. LEXIS, at *24 (explaining the tapes could not be viewed on a personal computer). Indeed, the appellate court, in Recall II, explained that “regardless of the [court's] precise definition of publication ' access [was] a necessary prerequisite to the communication or disclosure of personal information” without any further explanation or definition. See Recall II, 147 Conn. App., at 463. Further, the appellate court made it abundantly clear that there was no question that apart from the theft of the tapes, actual access of the information on the tapes themselves had not occurred. Again, this is a critical difference between the Recall cases and the majority of data breach cases where it is typically immediately apparent that the relevant information was accessed and/or used for criminal activities.

Moreover, the Recall courts' approach to publication and the requirement of access to information or data may have a limited impact within the larger context of data breach cases, as some courts do not require proof of access in order to satisfy publication. For example, in Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC, where confidential medical records were posted on the Internet, the U.S. District Court for the Eastern District Court of Virginia stated that “publication does not hinge on third-party access” rather “publication occur[red] once [the] information [was] placed before the public” even if there was no evidence that anyone had actually viewed the confidential information. See Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC , 35 F. Supp. 3d 765, 771 (E.D. Va. 2014). While in Zurich Am. Ins. Co. v. Sony Corp. of America, the court analogized the facts to opening Pandora's Box and that by merely breaking into Sony's network, there was publication, regardless of the fact that there was no allegation that the hackers actually “published” the information. See Zurich Am. Ins. Co. v. Sony Corp. of Am., Index Number: 651982/2011 (N.Y. Sup. Ct. Feb. 21, 2014). (It is relevant to note that the court found this publication was not subject to the coverage because it was an act of third-party hackers. Moreover, this case settled in 2015 while an appeal was pending.) Thus, several questions remain with respect to the terms “publication” and “access,” particularly in the context of data breach and storage devices, such as laptops, and cellphones.

Conclusion

Recent reports of data breaches suggest it would be wise for companies not to wait for the courts to clarify issues related to CGL policy coverage, and instead be proactive in procuring a policy that expressly provides coverage for any type of data breach. As of June 2015, 43% of mid-sized business reported that they had experienced a data breach in the past three years, and 13% further reported that a supplier's data breach affected their business information. See 4 of 10 Mid-Sized Firms Have Had Data Breach: Survey (June 26, 2015), Insurance Journal, http://bit.ly/1jM7mEO. Recent data breaches of several big-name businesses further illustrate the potential magnitude of loss resulting from such a breach, and how obtaining specifically tailored coverage can significantly soften the blow. Target and Home Depot incurred $252 million and $43 million in cumulative expenses arising from data breaches, respectively, but those costs were each offset by $90 million and $15 million in insurance compensation, respectively. S ee How Much Do Data Breaches cost Big Companies? Shockingly Little, (March 27, 2015), Fortune.com, http://for.tn/1XYZtJT. The choice for businesses is no longer whether to buy cyber insurance; rather, it is which type of cyber insurance is best for a particular company.

This heightened reality of data breaches and other cyber threats prompted the U.S. Securities and Exchange Commission (“SEC”) to release new cyber-risk guidance to set a standard of mandatory minimums for the management of such risk for SEC registrants. See Securities and Exchange Commission, Division of Corporation Finance, CF Disclosure Guidance: Topic No. 2, Cybersecurity (Oct. 13, 2011), http://1.usa.gov/1lM2PUb. These guidelines create SEC enforcement risk, and further provide for a potential roadmap of liability for plaintiffs to pursue in class action lawsuits arising from data breach. The guidance prescribes that, in determining what it must disclose as a cyber risk, a registrant should evaluate “the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets of sensitive information, corruption of data or operational disruption.” Id. One of the specific factors the SEC cites for consideration is a description of the registrant's relevant insurance coverage.

Inclusion of the cyber insurance factor in the SEC guidance documents reflects the risk arising from relying on traditional insurance policies not expressly written to cover the new types of perils associated with modern data breach, and suggests that businesses would do well to stay abreast of this emerging issue and work with their insurance professionals to make sure they have proper coverage for this evolving threat. Insurers are now commonly inserting electronic data exclusions into their general liability policies, or otherwise including exclusions that revise the definition of “advertising injury” or “personal injury” to exclude injury resulting from a data breach. At the same time, various insurers are underwriting policies expressly tailored to address the risk arising from our new interconnected electronic reality.

Although the facts of Recall are distinguishable from most instances of data breach, the case illustrates that businesses cannot afford to assume that traditional policy wording will cover a cyber risk. Prudent corporate governance should compel businesses to secure and regularly update and assess cybersecurity coverage in order to mitigate the risk of financial burden associated with a breach. To do otherwise necessarily places one's business in a needless state of financial vulnerability that could have easily been avoided by the procurement of appropriate coverage.

Kelly M. Kirby is an associate with the Insurance and Employment Law practice groups in the Hartford office of Gordon & Rees. Delaney M. Busch is also an associate at the firm.

'