June 8, 2010
Contributed by Debbie Howlett | A recent report from Computerworld states that Colorado Casualty, an insurance company, has filed a lawsuit claiming that it is not liable to cover the $3.3 million the University of Utah spent to inform staff and faculty of a security breach. Despite substantial internal data-leak prevention measures taken by the school, its data backup provider, Perpetual Storage, lost the information when someone stole tapes from an employee's car in 2008.
The lawsuit filed in the Utah federal court states that Colorado Casualty is not responsible for covering the loss, but "offers little explanation as to why exactly the insurer believes it is not obligated to pay the breach related costs sought by the university," according to Computerworld. Despite the lack of cause discussed in the suit, it is likely that the insurance company believes that since the data was in the possession of the storage company, it is not responsible to cover the funds.
Since the incident, the university has ended its relationship with Colorado Casualty and contracted another insurance company to handle potential security breaches.
Following the theft of the tapes, authorities located the stolen property, but the school spent $3.3 million notifying the 1.7 million people treated at its hospitals and clinics of the potential data loss. Perpetual Storage filed a motion to dismiss the lawsuit, and told the news provider that it does expect a judge to rule in favor of Colorado Casualty. Such lawsuits are commonplace for insurance companies when customers file such large claims with insurers.
Data-leak prevention companies and experts have advised colleges and universities throughout the United States to take better precautions against data loss. However, many still struggle to secure their entire network; in fact, Pennsylvania State University recently reported that the social security numbers of more than 15,000 current and former students and staff may have been compromised as a result of malware found on a university computer.
Pennsylvania state law required PSU to inform those possibly affected by the breach with a letter detailing the incident and a packet of information explaining the possible effects of identity theft. Utah enacted a similar law earlier this year that requires any business or organization that stores information about its residents to adopt detailed security procedures and inform them of any security breach.