Lawyers and security professional are watching for a court ruling on what could be a precedent-setting case involving insurance payments following a major data breach.

According to news reports, Colorado Casualty Insurance Co. last week asked a judge to rule that it is not liable to pay a $3.3 million claim filed by its client, Perpetual Storage, after a burglar stole backup tapes containing the personal records of 1.7 million University of Utah medical patients from a Perpetual employee's car.

The request for a ruling is in response to a lawsuit filed in April by the University of Utah, which is seeking reimbursement from Perpetual Storage and its insurers for the $3.3 million it spent to remediate potential security problems caused by the theft of the backup tapes in 2008.

At issue is who should pay those $3.3 million remediation costs: the University of Utah, which owns the patient data; Perpetual Storage, which violated policy by leaving the university's backup tapes in a car while in transit to a secure facility; or Perpetual Storage's insurance company, which issued a policy to protect Perpetual from costs arising from a data breach.

So far, the University of Utah has absorbed the entire cost of the breach, including $2.5 million in credit monitoring services for the affected patients, more than $640,000 in printing and mailing associated with notifications, and more than $80,000 for a call center dedicated to the breach.

The university is now seeking redress from Perpetual Storage, its primary long-term data storage provider. The backup billing tapes were stolen from the personal car of a Perpetual Storage driver. The university said the driver violated company protocols by not using a secure company van and leaving the tapes in his car overnight instead of delivering them to the vault. The disks were recovered a short time later.

Colorado Casualty Insurance Company wrote a commercial package policy and a commercial liability umbrella policy for Perpetual Storage that was in effect at the time of the client data breach, according to reports. Ron Sutherland of United Insurance Services was Perpetual's insurance agent at the time and placed the coverage with Colorado Casualty.

According to a report, the university has also brought Sutherland and United Insurance Services into the suit as a third-party claimant, alleging they were "careless, negligent, and made various negligent misrepresentations about Perpetual's insurance coverage from Colorado Casualty."

Colorado Casualty's request for a ruling does not provide any specific details on why the company thinks it is not obligated to pay the claim. Experts say the claim would probably have been covered under most network security and data breach privacy policies currently available.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.