One of the most significant risks facing corporate organizations today is that of a data breach. When secure data gets into the wrong hands – either by accident or through nefarious forces – it can hurt a company financially; damage its reputation with customers, potential customers, and the general public; and threaten its compliance status with industry regulations (which could lead to having to pay costly fines). That’s why data security is an area where risk management professionals are focusing their attention, either as part of a risk management strategy or, more recently, as part of a corporate governance, risk management, and compliance (GRC) initiative. Many things can trigger a data breach: a misplaced laptop, a stolen drive, a hacker attack. One area that shouldn’t be overlooked as a source of data breach is the procedure through which your company disposes of its retired IT equipment. This process, called IT asset disposition (ITAD), involves removing pieces of surplus IT equipment from your company’s facilities and sending them to be recycled or, if they still have value, resold. Clearly, if a hard drive makes it through the disposition process with secure data still on it, it puts your company at risk for a data breach. Fortunately, that risk can be managed by following best practices for IT asset disposition and protecting yourself with an ITAD vendor that has data breach insurance coverage.
How data breach insurance can minimize the risk of IT asset disposition
The surest way to prevent your company’s and its customers’ sensitive data from leaking into the outside world through your IT asset disposition process is to choose a vendor that holds a leading third-party certification in data sanitization (wiping), like AAA certification from the National Association for Information Destruction (NAID). If you use an NAID-certified vendor, you can be sure that it meets the highest standards for data security and its entire disposition process has been documented. However, even the most airtight and up-to-date data destruction procedure can benefit from being backed up by data breach insurance, just in case something goes wrong.
What is data breach insurance?
Coverage for the costs associated with data breach is a fairly new offering from the insurance industry. It can come packaged as a separate stand-alone policy or a rider specific to data breach costs on an existing business insurance policy. Coverage varies, but data breach insurance policies often cover costs for:
- Recovering lost data.
- Legal defense and lawsuit payments.
- Payment of regulatory fines.
- Notifying customers and others whose information may have been leaked.
If your organization’s IT asset disposition or data sanitization provider isn’t covered by data breach insurance (and don’t take their word for it; ask to see their certificate of insurance), your company is at risk. In addition to reducing financial risk, evidence of data breach and other important insurance coverage tells you that your ITAD vendor is committed to doing asset disposition right, that it has the financial stability to buy the insurance, and that it is willing to stand by its sound ITAD processes and organization.
What else does a risk management team need to know about IT asset disposition?
While data security is often the most significant, the IT asset disposition process can put an organization at risk in other areas as well, including environmental and regulatory compliance. Our “Guide to Minimizing the Risk of IT Asset Disposition” helps risk managers and compliance teams identify the chinks in their organization’s armor that might be caused by ITAD and offers several strategies for minimizing their impact.
