Professional Liability Insurance

New regulations and mandatory fines, as well as increasing enforcement, have dramatically increased the potential of damages resulting from inadvertent or negligent mistakes by the vendors you trust to meet your data protection requirements.

By having the proper Professional Liability Insurance in place, your data-related vendor is able to take responsibility for any financial damages they might cause.

Like all insurance, there is little likelihood it will be used.  It is still prudent to require that vendors have such coverage as a precaution from a due diligence perspective.

How downstream data coverage offers better protection to our customers

Most professional liability insurance products were developed for general applications.

Even in the few cases where a policy was created for data protection exposures, they were almost universally created for exposures of primary data custodians, such as healthcare or financial institutions.

Downstream data coverage was developed because other PROFESSIONAL LIABILITY INSURANCE products failed to address the unique liabilities of data-related providers and the customers such insurance was meant to protect.

A few important differences between Downstream Data Coverage and non specific insurance products

Clients’ data breach notification expenses are covered to the full limit of the policy – and its says so in writing

Many policies don’t cover breach notification at all or only cover the service provider for their data breach notification costs.  Further, data breach coverage is usually subject to limits on claims much lower than the full limit of the policy.  The only way to be sure client breach notification costs are covered to the full limit of the policy is when it says so in writing.

Downstream Data Coverage applies to professional Liabilities for all media, including electronic, sent to the service provider – and is says to in writing.

Many Professional Liability Insurance policies do not apply to electronic information or do not specifically state that it is covered in writing.  Other policies sometimes include what is called “cybercoverage”.  Unfortunately, not only does this type of protection offer lower coverage, it is usually not designed to cover damages from unauthorized access to discarded electronic equipment.

Downstream Data Coverage is only available to service providers who are also NAID AAA Certified.

While it is prudent to require service providers to have Professional Liability Insurance, you also need to do everything you can to make sure their operations are secure and monitored.  NAID AAA Certification verifies service providers’ security operations with ongoing announced and unannounced audits by trained and accredited third-party security professionals.  NAID Certification is now required by hundreds of state and federal agencies, and by thousands of private businesses.

Source: National Association of Information Destruction; Downstream Data Coverage brochure