Why You Can’t Count On Insurance To Cover An ITAD Data Breach
Insurance is your safety net. The right insurance protects your business from unforeseen events, which is why most companies have cyber liability insurance.
Cyber insurance policies can help companies cover the direct costs associated with a data security breach. These include investigation, data restoration, regulatory compliance, notification, credit monitoring, and public relations expenses. Policies may even cover ransomware demands and lost business income.
If you think your cyber insurance claim will be approved for an IT asset disposition (ITAD) incident, it’s time to think again. Hidden in the fine print of your cyber insurance policy documents are certain terms and conditions you must comply with.
Insurance companies have specific policies and conditions that dictate when they will provide compensation. Insurance may not compensate for the costs and penalties resulting from an ITAD incident for several reasons:
Exclusions In The Policy
Insurance policies typically have exclusions that outline the circumstances in which coverage is not provided. For example, the policy may exclude coverage for data breaches resulting from the improper disposal of IT assets, or if a data breach was caused intentionally or by criminal acts.
Sometimes, data breaches are caused by third-party vendors’ negligence or malicious actions. If an insurance company can prove that a third-party vendor caused a breach, it may be able to avoid paying out a claim.
Failure To Follow Proper Protocols
Your insurance provider will assess whether or not you took “due care” to protect your business from known risks. If a company fails to follow proper protocols for ITAD, the insurer may argue that the company acted negligently and, therefore, the data security breach was preventable. As a result, the insurance company may deny compensation.
The Securities and Exchange Commission (SEC) fined Morgan Stanley $35 million for “astonishing” IT asset disposition practices. Among the findings, the SEC stated that the company did not have reasonably designed policies and procedures, did not comply with policies or procedures, and did not confirm that policies or procedures were followed.
If an insurance company can prove that a company was negligent in its practices pertaining to ITAD, it may be able to avoid paying out a claim.
Failure To Disclose Relevant Information
The coverage under a policy depends on the representations the insured makes in its application and subsequent compliance with them. One of the biggest reasons for coverage denial is misrepresentations, omissions, or incorrect statements in the insured’s application for the policy. Another is a failure to notify the insurer of any material changes in its security practices.
When applying for an insurance policy, a company must disclose all relevant information, including any potential risks. The insurance company may deny compensation if a company fails to disclose relevant information, such as a prior data security incident resulting from ITAD.
Cyber insurance policies routinely exclude preexisting or prior breaches. Naturally, insurers want to avoid exposure to incidents that occurred before the policy was purchased.
A significant amount of time can pass between when an ITAD incident occurs and when it is detected, and additional time can pass between when a breach is determined and when it is disclosed. For example, the SEC fined Morgan Stanley in 2022 for a pair of breaches that occurred in 2016 and 2019, respectively.
Years may pass before a data breach or a whistleblower discloses an ITAD incident. An insurer might deny a cyber claim for an ITAD incident if the incident occurred before purchasing a policy.
Will Insurance Cover Regulatory Fines?
Whether insurance will cover the cost of a fine from regulatory agencies, such as the SEC, depends on the insurance policy’s specific terms and conditions. Insurance policies may cover legal costs associated with a regulatory investigation, but they typically do not cover fines or penalties that the sanctioning body may impose.
Insurance policies can contain exclusions for fines and penalties, including fines and penalties imposed by regulatory agencies like the SEC. Additionally, insurance policies may only cover certain types of legal costs, and this can depend on the specific policy and coverage options that a company has purchased.
It’s essential to carefully review the terms and conditions of an insurance policy to understand what is covered and excluded when it comes to IT asset disposition breaches and regulatory actions.
The typical approach during ITAD is for organizations to allocate assets to an ITAD vendor. This approach, while convenient, needs to meet the minimum standards for safeguards required by privacy-protection regulations. Only a careful, objective examination of asset tracking data performed by an independent party can confirm chain-of-custody or reveal potential data security incidents.
Companies should work to ensure that they comply with all applicable regulations to avoid ITAD incidents and minimize the risk of fines and penalties. If a company is concerned about the risk of fines and penalties from the SEC and other regulators, it may consider purchasing a specialized policy that provides coverage for these risks.
Understanding why a cyber liability insurance claim could be denied will better inform your ITAD decisions.
Ensure Your Insurance Coverage Is There (When You Need It)
An ounce of prevention is worth a pound of cure when it comes to protecting yourself against ITAD-related incidents. The best weapon in your fight against a potential breach is taking steps to ensure it never happens at all. While it might be impossible to eliminate every risk, taking proper steps ensures that your insurance coverage is available when needed.
Here are steps that can be taken today:
- Use Disposal Tags – Serial number tracking is fallible. On average, 40% of inventories reported by disposal vendors contain errors (e.g., duplicates, missing identifiers, etc.). Barcoded disposal tags increase tracking to 99% or higher. Disposal tags deter theft and are an effective way to track assets and prove chain-of-custody.
- Secure or Destroy Sensitive Data Before Devices are Moved – 99% of ITAD problems happen before a disposal vendor touches the equipment. No vendor can protect an asset it doesn’t receive. Working with a certified electronics recycler is essential but not a guarantee. Destroying data prior to a move is not always possible or practical. The insurer might deny your claim if reasonable safeguards are not in place if transporting data-bearing assets.
- Take Control of Disposition Inventory Reconciliation – Segregation of duties is critical to privacy regulations. ITAD service providers should not be reconciling device inventories, rather they should be reporting what is received and the data controller should be doing the reconciliation. That way, discrepancies can’t be swept under the rug. The insurer might deny your claim if your procedures allow obvious conflicts of interest.
- Automate and Outsource Inventory Reconciliation – Spreadsheet reconciliation is time-consuming and tedious. Moreover, the results of manual reconciliation can be subjective and impossible for someone else to verify without redoing the entire thing. Automating and outsourcing reconciliation ensures a consistent, objective approach and allows IT asset managers to spend valuable time-solving problems. The insurer might deny your claim if your process includes manual procedures prone to human error.
- Have Your Assets Held – To prevent problems, require your ITAD vendor to quarantine equipment until all assets have been accounted for. Most inventory discrepancies can be resolved, but only if you can get a second look at the assets. Never allow a vendor to resell or destroy equipment until chain-of-custody has been established.
- Treat ITAD Discrepancies with Due Regard – Whenever an incident occurs, such as an inventory discrepancy, there is a regulatory obligation to investigate and potentially notify. The insurer might deny your claim if your company fails to recognize incidents and act on them accordingly.
- Test Security Controls – Compliance requires an organization to implement and test safeguards. Detecting a missing asset requires a robust reconciliation process. An effective test of this control is to include a fictitious asset on every disposal inventory. This imaginary asset should get flagged as missing. If the ITAD vendor reports receiving the pretend asset, there is a problem. The insurer might deny your claim if you do not routinely test and validate safeguards.
To be sure, other things can help mitigate the known risks, but they should only be used to support the IT asset disposition best practices cited above.
How We Can Help
Ready to build a bullet-proof ITAD strategy? Download our free e-book, The Three P’s of Proper IT Asset Disposition, or call me at (888) 839-6555 or email email@example.com. I would be pleased to share a strategy and outline the options if you need an effective, vendor-agnostic approach for defensible disposition.