This webpage provides information to NAID members, prospective members and their customers about Downstream Data Coverage, a professional liability insurance product developed for data-related vendors that is available as a benefit of NAID membership to companies that meet the underwriter's eligibility requirements.
No, the regulatory obligation to protect personal information, as well as the responsibility for data breach notification and other fines resulting from unauthorized access to personal information, always resides with primary data custodian who was originally entrusted with protecting the personal information.
If a downstream data-related contractor causes unauthorized release of personal information, the regulatory responsibility and financial consequences remain with the primary data custodian that hired them.
No, general liability insurance does not cover claims resulting from professional errors and omissions. Only properly crafted professional liability insurance covers such claims.
No, generally the term “bonded,” refers to “employee dishonesty bonding,” which will only cover loss due to employee theft while on the customer’s premises and coverage levels are relatively small low. There is no case in which employee dishonesty bonding would cover financial loss to a customer due to the errors and omissions of a service provider allowing unauthorized access to their customer data.
Downstream Data Coverage professional liability insurance is available to data destruction services, records storage, data tape storage and data transport companies that are NAID AAA Certified.
Of course, when a data-related service provider demonstrates they have the confidence and strength to stand behind their commitment, there is a substantial marketing advantage.
Further, in the unlikely event there were an incident resulting in the release of data, the insurance would cover the expense.
The policy also covers the expense of defending the service provider against false claims related to data breaches.
Just because a service provider does not accept liability in a contract, a customer (or their insurance provider) is still very likely to pursue legal action to recover damages from the errors or omissions of a service provider.
Downstream Data Coverage has two strategies for lowering the cost of professional liability insurance to qualified service providers.
First, by limiting the availability of the coverage to service providers that are subject to the security standards and audit regime of NAID AAA Certification, Downstream will effectively limit losses. Controlled losses will translate into lower premiums.
Second, at some point Downstream will be converted to a “captive” insurance program owned by its policy holders. At that point, having already established a dependable claims history, policy holders will have more control over setting the price of the coverage.
If a policy has loopholes (known as exclusions) that make the policy difficult to collect when there is a breach, it doesn’t matter who it covers. Since Downstream Data Coverage does not have the loopholes found in many professional liability policies, it has to make sure the service providers it covers are a safe risk.
NAID AAA Certification is a voluntary program that routinely audits data-related service providers who are responsible to securely destroy sensitive materials for their clients. The program, which now verifies the security of almost 900 service providers, relies on unannounced and announced audits using third party accredited security professionals to verify compliance. Audits review over 20 operational aspects of security, including employee screening, access control, training, CCTV image capture, and making sure that the firm complies to written policies and procedures that are consistent with data protection regulatory requirements.
Data protection regulations do not require third party data-related service providers to maintain professional liability insurance. It is the prerogative of the primary data custodian who contracts with the service provider to require it.
Yes, the client can sue for damages due to professional errors and omissions regardless of any contractual acceptance of liability.
Establishing a reasonable limited liability is better for the client and for the service provider. Specifying unlimited liability could be deemed unnecessarily onerous and unreasonable by courts and thus be nullified if put to the test. It is also impractical for a service provider to indemnify a client for an unspecified amount with no upper limit. Establishing a reasonable limit to the liability that takes into consideration the risk, the vendor qualifications, the amount of business to be transacted, and the service providers’ ability to practically indemnify themselves is more apt to be viewed as reasonable when put to the test in court.
When organizations first started asking their data-related service providers to have insurance to cover financial damages in the unlikely event of a data breach, service providers turned to off-the-shelf professional liability coverage. They had no alternative.
Unfortunately, while that might have satisfied the customers’ requirement, it often did not provide them with the protection they sought. In fact, the types of claims routinely excluded in those policies, such as claims resulting from the intentional acts of employees or claims resulting violation of federal regulations, were the areas MOST likely to cause a claim in the first place.
Of course, the customer is also at greater risk as a result because their service provider would not be able to effectively cover their liability.
NAID was the first to bring this issue to light. As a result, some insurers modified their language to fix this problem. Had NAID not made it an issue, there would likely have been no action taken. Of course, most insurance companies did nothing and still sell inferior or inadequate professional liability insurance to data-related service providers.
The problem was then, and is today, insurance companies often miss the subtleties of providing coverage to data-related providers. Even today, the language related to “data breach notification” coverage and, what is known as “cybercoverage,” have critical flaws.
We have little doubt that the insurance industry will follow Downstream Data Coverage’s lead. They will have no choice.
For example, many such policies also now have specific coverage for data breach notification costs. Usually, the data breach notification coverage states that it covers the “insureds” data breach notification costs. They and the service provider that purchased the coverage seem to have missed the point that the “insured” (the service provider) does not have the data breach notification cost. From a regulatory point of view, the customer that hired the service provider has the notification responsibility and there is nothing the service provider or the policy can do to change that. The policy should say that it covers the “client’s” data breach notification costs, not the “insureds.”
The point is that it took a combination of organizations that understood the regulations, and that put the service provider’s interests and their customer’s interests first.
When contracting with a data-related contractor to hold them financially responsible for their errors and omissions, is it better for the client (primary data custodian) to specify unlimited liability or establish a specific limit?
How does Downstream’s perspective differ from other professional liability products and how does that perspective reflect on its ability to protect service providers and their clients now and in the future?