Client Information Security Helping Organizations Protect Private Client Data

Colorado Casualty: “There is no coverage”

Colorado Casualty Insurance company is seeking a judicial ruling that it is not obligated to pay for costs incurred by the University of Utah in 2008 as a result of a client information breach.

On or about June 1, 2008 car burglars stole back-up tapes from the personal car of a Perpetual Storage employee containing medical billings records with sensitive personal information (including social security numbers) on 1.7 million university patients covering a time period of approximately 16 years.

University of Utah officials want Perpetual Storage, their backup storage vendor, to reimburse the cost the university incurred because of the client data breach. Not including 6,232 in personnel hours responding to the breach, the University allegedly spent over $3.2 million on:  (1) $646,149 in printing and mailing costs; (2) $81,389 for a call center that fielded over 11,000 calls within two weeks; and (3) $2.5 million for credit-monitoring services.

Colorado Casualty Insurance Company wrote a commercial package policy and a commercial liability umbrella policy for Perpetual Storage that was in effect at the time of the client data breach. Ron Sutherland of United Insurance Services was Perpetual’s insurance agent at the time and placed the coverage with Colorado Casualty.

The University has brought Sutherland and United Insurance Services into the suit as a third party claimant alleging they were “careless, negligent and made various negligent misrepresentations about Perpetual’s insurance coverage from Colorado Casualty.”

The Colorado Casualty suit does not provide any specific details on why the company feels it is not obligated to pay for this claim. Notwithstanding what the Colorado Casualty policy may actually state, the above claim would probably have been covered under most network security and data breach privacy policies currently available.

Lesson learned: It is critical for every agency to inform their client’s about the coverage limitations for any claim arising from a client data and information breach. And, they should offer to provide them with a quote for a Network Security and Data Breach Privacy policy.

Here is an article from the Salt Lake Tribune.

Do you have the proper insurance coverage for the costs of a client information breach?