Palisade firm first to buy new data breach insurance

Phil Castle, The Business Times: 

A Palisade information destruction company was the first in the nation to purchase a new type of insurance that extends coverage for data breaches to its clients.

While the release of confidential financial or medical information remains rare, the effects of such breaches have become increasingly costly, said Scott Fasken, vice president of Colorado Document Security. “This data breach insurance is just another piece of the wall to protect our clients.”

Scott Fasken oversees the operation of Colorado Document Security, an information destruction company in Palisade. The firm was the first in the country to purchase a new type of insurance that extends coverage for data breaches to its clients. (Business Times photo by Phil Castle)

Fasken also serves as president-elect of the National Association of Information Destruction (NAID), and has been involved in a four-year effort to develop data breach insurance for members of the trade association.

NAID worked with Lloyd’s of London and Association Insurance Management to offer professional liability coverage that covers what’s excluded in other policies, Fasken said. For example, other policies exclude claims arising from intentional acts of employees or violations of federal regulations even though such incidents are the most likely to trigger a claim in the first place.

The new insurance covers not only the companies that destroy information, but also their clients, in the event of a data breach, he said. “This is what we worked so hard to have.”

State and federal laws require companies that have experienced data breaches to notify the individuals who are potentially involved and, in some cases, to monitor their credit to make sure identify theft doesn’t occur, Fasken said. Companies also face stiff penalties for data breaches. Under one measure of a new medical privacy law, companies with a data breach could face fines of up to $1.5 million, he added.

Federal regulators have trained state attorneys general to prosecute such cases and keep the fines.

In 2008, the University of Utah spent more than $3 million in notification, credit monitoring and other fees after burglars stole backup tapes containing confidential information about university hospital and clinic patients, Fasken said.

An insurance carrier providing coverage to the storage company from which tapes were stolen subsequently filed a lawsuit, contending the carrier was not obligated to provide coverage to the storage company or defend that company against claims from the university.

While Colorado Document Security turns large pieces of paper into small pieces of paper with its mobile shredding trucks, Fasken said the firm actually sells risk management and regulatory compliance. “Our whole focus is taking clients and protecting them.”

Fasken said data breach insurance offers additional protection that several clients already have told him they appreciate.

Data breach insurance is available only to NAID members who’ve earned AAA certification from the group. That means the firms have undergone annual independent audits to assure they comply with national policies and procedures for secure information destruction. The certification requirement lowers the cost of premiums, Fasken said.

The response from NAID members to the new insurance coverage has been immediate, Fasken said. “People are jumping on it.”