Updated: Sep 25, 2020

What is Downstream Data Insurance?

A professional liability insurance policy created specifically for the unique risks of vendors that provide data protection services to third-party clients

Data-Service Industry Risk and Liability

ITAD companies refurbish and resell millions of computers and phones each year. These devices are sold on the secondhand market, eBay, Amazon and to private parties.

The refurbishment of equipment requires cleaning, replacement of broken components and testing to ensure the device works properly. All this effort is done to increase the selling price and to decrease RMAs. Over the last decade, HIPAA, GDPR and other regulations were introduced that imposed fines for the mishandling of data.1These fines focused corporate attention on data and, as data breaches became more widespread, corporations and leasers became concerned about their financial responsibility. Corporations began requesting that ITADs clear all data prior to reselling the equipment. Data clearing and the refurbishment steps then became standard for all ITADs.

Soon after data clearing became standard, organizations began to ask their data-related service providers to retain insurance to cover financial damages in the unlikely event of a data breach. ITADs and other service providers turned to off-the-shelf professional liability coverage but soon realized that the generic policies did not provide adequate protection. These insurance products were already being applied to exposures for conventional professional services. These policies did not address claims resulting from the intentional acts of employees or claims resulting from violations of federal regulations, thus leaving the service provider and their customer at risk.

The insurance products also did not adequately address the notifications for data breaches. The insurance products were developed to cover exposures for organizations with direct regulatory responsibility to provide data breach notification to consumers. Unfortunately, the data breach notification costs of a third-party data processors is significantly different than the data breach notification costs of healthcare or financial organizations.

The standard insurance policies offered and used by many service providers put the customer at greater risk because the service provider would not be able to effectively cover their liability.

NAID & Downstream Data Coverage Insurance

Downstream Data Coverage was introduced by the National Association for Information Destruction (NAID) as professional liability insurance for its members. This insurance was developed exclusively for NAID members to address many of the shortcomings of standard professional liability coverage that leave service providers and their customers at risk.

The unique insurance coverage is underwritten by Lloyd™'s and two of the unique protections include coverage for rogue employees and intentional acts. This specific coverage becomes more important considering the recent data breaches with Morgan Stanley2 and a Tesla3 employee offered a bribe to intentionally attack their systems. NAID spent four years developing this insurance policy and provides it exclusively to its NAID AAA certified members.

NAID is a professional association that champions the protection of personally identifiable information, intellectual property, as well as regulatory compliance for data service providers4 and certifies members if they reach industry standard protocols.

The NAID AAA certification requires access protection, background checks and compliance with many security protocols that validate the vendor's operational security. NAID also investigates AAA certified members with regular announced and unannounced audits.

To help lower the cost of dependable coverage to its members, only service providers subject to the security specifications and audits of the NAID AAA Certification process are eligible for Downstream Data Coverage.

NAID's effort to create the Downstream Data Coverage policy has provided specific protection to data-related service providers but many service providers still use inferior or inadequate professional liability insurance. This puts their clients at risk.

Conclusion

Using contracted service providers for data destruction, storage, and many other data-related services will continue to grow in popularity because of the cost savings to organizations. These services will continue to require insurance products that adequately cover liabilities. As a vendor to data-service providers, WhiteCanyon Software is proud of the software-based data erasure we provide and assist ITADs in receiving their NAID AAA certification to qualify for Downstream Data Insurance coverage.

For more information on WipeDrive Enterprise, please contact Sales at 801.224.8900



1. hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
2. resource-recycling.com/e-scrap/2020/08/06/morgan-stanley-faces-lawsuits-from-itad-data-mishap
3. thetimes.co.uk/article/tesla-employee-was-offered-1m-to-let-criminals-hack-its-systems-pt7kxhxnz
4. naidonline.org/about/mission