Data Destruction Industry Responds to Need for Protection

The Situation

Using outside vendors for data destruction and other data-related services has grown so popular because they can do it more securely and more economically than organizations can do it for themselves.

Man signing document of liabilityBut, with stringent regulations and severe financial consequences, customers have come to realize that they are responsible in the unlikely event a data breach or other loss is caused by those vendors – no matter how it happened. Today, 47 states have data breach notification laws, and HIPAA requires data breach notification across the country when breaches involve healthcare information. Fines for improper data disposal and expenses for data breach notification over the last few years are in the tens of millions of dollars and continually increasing.

So customers are right to be concerned.

That’s why many customers insist that data-related service providers reasonably indemnify them from any harmful financial consequences they cause. Unfortunately, many of the professional liability products on the market do NOT ADEQUATELY ADDRESS THE RISKS.

So, how then can customers really know they are protected, especially when they may never see the policy?

The Problem

When organizations first started asking their data-related service providers to have insurance to cover financial damages in the unlikely event of a data breach, service providers turned to off-the-shelf professional liability coverage. They had no choice.

While that might have satisfied the customer’s requirement, it often did not provide them with the protection they sought. In fact, the types of claims routinely EXCLUDED in those policies, such as claims resulting from the intentional acts of employees or claims resulting in the violation of federal regulations, were the areas MOST likely to cause a claim in the first place. Of course, that meant the customer was at risk because their service provider could not effectively cover their liability.

The problem then, and still the case today, is that insurance companies often miss the subtleties of providing coverage to data-related providers. Language related to “data breach notification” coverage and “cybercoverage”, often has critical flaws. It took the National Association for Information Destruction (NAID) an industry organization that understood the issues, and put the service provider’s interests — AND their customers’ interests – first, to find and address the critical policy shortcomings. In what turned out to be a four-year project to provide real protection to its members and their customers, NAID created Downstream Data Coverage.

Broken data CDsThe Solution

At its core, Downstream Data Coverage is professional liability insurance developed exclusively for NAID members to address many of the shortcomings of standard professional liability coverages that leave service providers and their customers at risk.

For the last 17 years, NAID has been known for its in-depth understanding of current data protection regulations, and its perspective as a consumer protection advocate and industry watchdog. Created in collaboration with insurance industry leader Lloyds, Downstream Data Coverage is a policy that both the service provider and its customers can trust to protect them.

Here are just a few important differences of Downstream Data Coverage:

Customer data breach notification expenses are covered to the full limit of the policy – and it says so in writing.

Many policies don’t cover breach notification at all or only cover the service provider for their data breach notification costs. Further, data breach coverage is usually subject to limits on claims much lower than the full limit of the policy. The only way to be sure client breach notification costs are covered to the full limit of the policy is when it says so in writing.

Downstream Data Coverage applies to professional liabilities for all media sent to the service provider, including electronic – and it says so in writing.

Many professional liability insurance policies do not apply to electronic information or do not specifically state that it is covered in writing. Other policies sometimes include what’s called “cybercoverage.” Unfortunately, not only does this type of protection offer lower coverage, it is usually not designed to cover damages from unauthorized access to discarded electronic equipment.

Downstream Data Coverage is only available to service providers who are AAA NAID Certified

While it is prudent to require service providers to have professional liability insurance, you also need to do everything you can to make sure their operations are secure and monitored. NAID AAA Certification verifies service providers’ security operations with ongoing announced and unannounced audits by trained and accredited third-party security professionals. NAID Certification is now required by hundreds of state and federal agencies, and by thousands of private businesses.

Best practice dictates that data service providers stand behind their commitments. Downstream Data Coverage helps us do just that. Find out more on our Professional Liability Insurance page.