BreachExchange mailing list archives
Insurer Won't Pay for Breach
From: Jake Kouns <jkouns () opensecurityfoundation org>
Date: Tue, 15 Jun 2010 15:41:09 -0400
http://www.insurancenetworking.com/news/insurance_technology_risk_claims_data_security_breach-24974-1.html The verdict could have far-reaching ramifications for organizations seeking reimbursement for costs related to mitigating data breaches. Two years ago, back-up tapes for the University of Utah Hospitals and Clinics were stolen from the private vehicle of an employee of a secure storage company called Perpetual Storage. The tapes contained protected health information for 1.7 million patients over a period of 16 years, including Social Security numbers for 1.1 million. Now, the insurer of Perpetual Storage is claiming it is under no obligation to cover the company's liabilities. A ruling in favor of the insurer could have a chilling affect on other provider organizations seeking financial reimbursement for costs related to mitigating data breaches. The Colorado Casualty Insurance Co. is asking the U.S. District Court in Utah to declare that its policies do not provide coverage for the claims made against Perpetual Storage by the university. The insurer also seeks court judgment that it is not obligated to pay any award of damages against Perpetual Storage and has no obligation to defend the company against claims made by the university. In a seven-page Complaint for Declaratory Judgment, Colorado Casualty notes it issued a commercial package policy and a commercial liability umbrella policy to Perpetual Storage, with terms running from May 31, 2008, to May 31, 2009. The university's backup tapes were stolen on June 1, 2008, a day after the policies went into effect. The insurer claims it is not obligated under its policies to cover, pay or protect Perpetual Storage. The insurer's sole explanation for its position reads as follows: "A justiciable controversy exists as to whether or not Colorado Casualty's Policies provide coverage for the claims made by the University against Perpetual Storage and, therefore, Colorado Casualty does hereby request that this Court exercise its jurisdiction under 28 U.S.C., sec. 2201 et seq., the Federal Declaratory Judgment Act, to adjudicate and declare Colorado Casualty's obligations under the Colorado Casualty Policies." An attorney for Colorado Casualty did not return a telephone call asking for comment. The university has filed an answer to Colorado Casualty's complaint, was well as countersuing the insurer and Perpetual Storage. The university claims Colorado Casualty's claims of no obligation are barred by a number of legal doctrines, by the provisions of the contracts of insurance, and by the insurer's own negligence and/or breaches of contract, among other arguments. The university notes that it has incurred damages totaling approximately $3,354,753 resulting from the theft: $2,483,057 for credit monitoring expenses, $646,149 in printing and mailing costs, $81,389 in phone bank costs, and $144,158 in additional miscellaneous costs. The university's court filing details multiple violations of security policies that resulted in the theft and demands that Perpetual Storage reimburse its costs. _______________________________________________ Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org) Archived at http://seclists.org/dataloss/ Get business, compliance, IT and security staff on the same page with CREDANT Technologies: The Shortcut Guide to Understanding Data Protection from Four Critical Perspectives. The eBook begins with considerations important to executives and business leaders. http://www.credant.com/campaigns/ebook-chpt-one-web.php
Current thread:
- Insurer Won't Pay for Breach Jake Kouns (Jun 15)