As detailed by the Salt Lake Tribune, Colorado Casualty Insurance Co. contends it is not obligated to cover costs incurred in 2008 by the University of Utah after tapes containing electronic medical billings records on 1.7 million patients were stolen from a car. The insurer filed a declaratory judgment action on April 9, 2010 seeking a declaration that the commercial package insurance purchased by the vendor who was to safeguard the records, Perpetual Storage, did provide coverage for the claims made against the insurer. A review of the seven-page complaint provides no insight as to the terms of the policy in question.
The claim is ultimately based on first-party costs incured by the University of Utah. Not including 6,232 in personnel hours responding to the breach, the University allegedly spent over $3.2 million on: (1) $646,149 in printing and mailing costs; (2) $81,389 for a call center that fielded over 11,000 calls within two weeks; and (3) $2.5 million for credit-monitoring services.
Notwithstanding what the Colorado Casualty policy may actually state, the above claim would have been covered under most network security and privacy policies. Lesson learned: It is critical to confirm a vendor’s insurance clause lists the necessary coverages — including NSAP coverage if they are to handle sensitive data.