Aon Risk

Aon Risk Solutions Press Kit — Research

DATA BREACH: Policy wording is key in insurance denial case – 14 June 2010

A recent court case demonstrates the importance of purchasing privacy and security insurance. In 2008, the University of Utah suffered a data breach that was caused by Perpetual Storage, a third-party service provider that was hired by the university. The breach occurred when burglars stole back-up tapes from Perpetual Storage containing confidential data on 1.7 million of the university’s hospital and clinic patients. The tapes were on their way to a storage facility when they were stolen from a car belonging to a Perpetual Storage employee. Law enforcement found the tapes a few days later, but the university had already spent more than $3.3 million in credit monitoring fees, breach notification costs and additional expenses.

In April 2010, Colorado Casualty, the insurance carrier that was providing insurance coverage to Perpetual at the time of the theft, filed a lawsuit in the U.S. District Court, District of Utah, seeking protection against any claims made against Perpetual by the university. In the complaint, Colorado Casualty stated that it is not obligated to defend Perpetual Storage against any claims made by the university regarding this matter, nor would it provide coverage for Perpetual Storage under the Colorado Casualty policies for these claims.

According to the complaint, Colorado Casualty had issued two policies to Perpetual Storage: a commercial package policy and a commercial liability umbrella policy, apparently without specific privacy and security breach coverage. We have not seen the policies that are at issue in this case and do not know the policies’ terms and conditions. That said, general liability policies generally are limited to address tangible property and deal with the issue in one of two ways: (1) either the policy is silent and does not address the concept of intangible property (electronic data); or (2) there is a specific exclusion in which coverage is limited to tangible perils (i.e., fire and wind) that cause tangible damage (i.e., burned property). Furthermore, and more importantly, recent courts have found computer data exclusions enforceable to deny coverage under these types of policies.

Privacy and security policies, on the other hand, specifically address the loss, damage or theft of personally identifiable information and are intended to provide coverage for companies that suffer data breaches. These policies may also reimburse companies for their first-party expenses that occur due to such breaches (i.e., notification costs and credit monitoring to affected parties).

In cases such as Colorado Casualty Insurance Company vs. Perpetual Storage and the University of Utah, there could be at least two privacy and security insurance provisions that would apply. First of all, if the University of Utah purchased a network risk insurance policy, its policy could have been drafted to cover the university’s $3.3 million in losses and expenses. After payment from the university’s insurer, the insurer might step into the shoes of the university (known as subrogation) and proceed to collect from the negligent party (Perpetual).

If the university did not purchase its own privacy and security insurance, then it would be forced to rely on its contractual allocation of liability in its data storage contract with Perpetual. Unless the university was named as an additional insured on Perpetual’s insurance policy, it must rely on Perpetual for reimbursement since the university does not have any right to collect against the Perpetual policy. If Perpetual has not negotiated specific wording to cover network risks in its commercial package policy, then it may have to pay $3.3 million to reimburse the university, depending upon the language in the contract between Perpetual and the university.

We will provide updates regarding this case as they develop. However, in any case, risk managers should review their entity’s information asset exposures and potential solutions.

Download Article

Tweet This Post