A funny thing happens when a developing area of the law becomes "hot," particularly if there is little judicial guidance on the books. Suddenly, all court decisions even remotely touching on the subject become "eagerly anticipated" as potential "turning points." This is certainly true today regarding data breach coverage litigation. When examined closely, however, some of these decisions don't involve a data breach at all, and provide unreliable guidance at best.

One of the hottest points of contention between policyholders and insurers these days is whether the coverage for personal and advertising injury in CGL policies applies to cyber-attacks or data breaches, where it is unclear that information was accessed by hackers and/or further disseminated to the public or to the "cyber black market." One case that insurers often cite for the proposition that the mere theft of data does not constitute a "publication" for purposes of personal and advertising injury coverage is Recall Total Information Management, Inc. v. Federal Ins. Co., 83 A.3d 664 (Conn. App. Ct. 2014). Both policyholders and insurers await the Connecticut Supreme Court's impending review of this decision, and argue that a ruling one way or the other could mean a "great victory" for their position on data breach coverage under CGL policies.

But, Recall is not really a data breach case and seems unlikely to meet the heightened expectations on either side of the debate. The facts are that IBM hired Recall to transport and store electronic media belonging to IBM. Recall in turn subcontracted with Executive Logistics (Ex Log) to transport the media. During transport on February 23, 2007, a cart containing the computer tapes fell out of the back of the van. Some 130 of the tapes, which contained employment-related data for an estimated 500,000 past and present IBM employees, disappeared from the roadside and were never recovered. Although it appears they were taken by an unknown individual, the fact is that no one really knows what happened to them. The CGL insurer denied coverage and the trial court found in its favor. The Connecticut Appellate Court affirmed, because "[t]here is nothing in the record suggesting that the information on the tapes was ever accessed by anyone."

Policyholders looking to Recall to crack open coverage under CGL policies for data breaches are doomed to disappointment, as are insurers who hope to establish once and for all that a theft of data is not a "publication" triggering personal and advertising injury coverage. The problem for both sides is that the facts in Recall are so unique. The appellate court didn't even need to reach the appropriate definition of "publication" for purposes of the coverage, because there simply was no evidence that a third person obtained the data. As Recall admitted in its reply brief submitted to the Connecticut Supreme Court, "the whereabouts of the tapes and what was done with them is unknown." Given the absence of any indication that the private data (as opposed to the tapes themselves) were in the hands of a third party, and because there was no indication that IBM employees had suffered injury, the court declined to infer any publication of private information. And there you have it: The most that anyone can say in light of the evidence is that the tapes appear to have been taken—not that the private information was stolen, accessed, used, distributed, disclosed . . . nothing. Not a single third person was identified as having obtained the information. Thus, there was no data breach—nothing similar to a third-party hacking into a computer network, installation of malicious software on point-of-sale terminals, exfiltration of data, or anything of the kind.

Although a reversal by the Connecticut Supreme Court might benefit policyholders by suggesting that the burden of proving exactly what happened in a cyber-attack should be eased, it won't definitively answer the question whether a deliberate theft of data is a "publication" for purposes of coverage. Likewise, an affirmance will be of no help to insurers in garden variety data breach cases, where typically there is ample evidence that a third party deliberately accessed the information. Our advice to both sides: Don't hold your breath waiting for a decision in Recall. Appellate decisions that resolve tough coverage issues don't typically fall out of the back of a van—they have to be the right case at the right time, with the right facts. Recall doesn't look like that kind of a case.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.