It is important to be aware of whether your insurance policy covers security incidents, especially, where insurance is a component of your risk management controls. A recent example illustrates this potential issue.
- Perpetual Storage (http://www.perpetualstorage.com/index_home.htm) an off-site storage facility, allegedly lost, by the action or inaction of one of its’ drivers, backup tapes belonging to the University of Utah, when the tapes were stolen from an employee’s car.
- Colorado Casualty is now seeking (see Binder1-Utah) a declaraton that it is not responsible for covering the loss of $3.3 million associated with notifying 1.7 million people whose individually identifiable information was lost. (http://www.sltrib.com/education/ci_14978059).
- On June 1, 2008, an employee of Perpetual Storage picked up backup tapes containing information about 1.7 million people, 1.1 million of which contained social security numbers, in a secure vehicle to transport the backup tapes directly and immediately to the granite vault facility.
- Early on the morning of June 2nd the tapes were stolen from the vehicle of the Perpetual Storage employee. This year Colorado Casualty filed a declaratory judgment against Perpetual Storage, Inc. (“Perpetual Storage”) and the University of Utah (which operates a hospital).
The costs associated with the breach included:
- $2,483,057 related to credit monitoring expenses;
- $646,149 related to printing and mailing costs;
- $81,389.00 related to phone bank costs; and
- $144,158.00 in miscellaneous costs.
The Colorado Casualty (the insurer of Perpetual Storage) specifically seeks a judgment Colorado is not obligated to pay the breach related costs sought by the University of Utah. Despite the lack of cause discussed in the suit, it is likely that the insurance company believes that since the data was in the possession of the storage company, it is not responsible to cover the funds.
According to the University’s Answer to the Complaint, for Declaratory Judgment, Cross-Claim, Counterclaim And Third-Party Claim And Jury Demand (“Answer”):
Perpetual’s normal business practices and protocols required Perpetual to immediately deliver University records, including backup tapes, to the granite vault facility. Specifically, Perpetual employees are required to make all storage runs using a Perpetual vehicle that has locked storage compartments in the rear. Moreover, Perpetual employees are forbidden from delaying their delivery of records from the client to the granite vault facility.
(See Answer at 17).
According to court documents — in early July 1, 2009, law enforcement officials recovered the stolen backup tapes. However, the University has already committed to offering free credit monitoring to all patients whose social security numbers were contained in the backup tapes.
Related Blogs
- British Insurance & Moneynet Launch Payment Protection Insurance Guide
- Bermans Investments: Term Life Insurance Quotes | financebis
- Granite Ware 11.5 Quart Canner Rack | Sale Best Price
- Large Natural Cart with Granite Top | Best Buy Cheapest Price
- Property and Casualty Insurance License Exam Manual | Auto Insurance Quotes Plan
Related posts:
- Evaluating Secutiy Incidents — Security Incident DOs and DON’Ts Security Incidents can be accidental incursions or deliberate attempts to...
- P2P Leaks of Protected Health Information –HIPAA Covered Entities and Business Associates Should Have a P2P Software Policy Either Prohibiting the Use of P2P Software or Instructing Users on the Safe Use of P2P Software. One of the most common (and high risk) user installed...
- Excellent Article from American Health Lawyers Association’s Healthcare Liability & Litigation Health Briefs, on 9/9/09. by Kristen McDonald. (Republished with permission from the author.) What happens if the offices of a covered entity are...
- Key Issues in Privacy and Security for 2010 Next year should be interesting. From Red Flag compliance, federal...
- Business Associate and Covered Entity HIPAA Compliance — Auditing Questions and NIST 800-53 Security Controls. This article discusses techniques for implementing the updated requirements of...