What is Downstream Data Insurance?

Nov 15, 2022 Best Practice

How Does Blancco Help ITADs Who Need It?

Protecting your clients means making sure your data sanitization processes are up to the task.

Heightened regulatory and liability risks to ITAD companies has led to the creation of insurance products that cover both ITAD customers and ITAD service providers. With the correct insurance coverage, ITAD vendors can lessen their financial risk in case of a data violation. They can also supply added reassurance to their clients.

IT asset disposition companies (ITADs) provide an invaluable service to refurbish and resell used IT equipment. Before refurbishing or reselling, however, these IT assets may have sensitive or confidential data that much first be sanitized before it can be safely handed over to a different user. 

Without sanitization, ITAD customers could face great risk if their data is exposed. They could also be in violation of any number of data protection regulations. 

What is downstream data insurance?

Downstream data insurance, or downstream data coverage, is professional liability insurance that addresses the unique risks of businesses that provide data-related services to customers or clients. 

Like traditional cyber insurance policies, downstream data policies cover financial damages if there is a data breach.  But traditional policies fall short, as they often don’t provide sufficient coverage far enough downstream or for a broad enough range of scenarios to cover the client. 

Downstream data insurance provider Downstream Data Coverage cites “claims resulting from the intentional acts of employees” and “claims resulting [from a] violation of federal regulations” as two scenarios that are often neglected with traditional insurance coverage. Instead, ITADs that have insufficient policies can leave clients holding the bag. Their policy simply can’t protect the client in case their data is breached or there is a regulatory compliance issue.

Who developed downstream data coverage?

Downstream data coverage was introduced by the National Association for Information Destruction (NAID) as professional liability insurance for its members. This insurance was developed exclusively to address many of the shortcomings of standard professional liability coverage that left service providers and their customers at risk.

This unique insurance coverage is underwritten by Lloyd’s™. Two of the unique protections include coverage for rogue employees and intentional acts. Such specialized coverage becomes more important considering recent data breaches, including a landmark situation in which hard drives were sold online with data still intact, and another where hard drives destined for scrap went missing from a government organization. 

Qualifying for a downstream data coverage policy

NAID spent four years developing its Downstream Data Coverage insurance policy. To help lower the cost of dependable coverage to its members, it provides this coverage exclusively to vendors who are NAID AAA certified.

The NAID AAA certification requires access protection, background checks, and compliance with security protocols that confirm a vendor’s operational security. NAID also investigates AAA-certified members with announced and unannounced audits.

What NAID certification requires for remarketable IT assets

The refurbishment of equipment requires cleaning, replacement of broken components and testing to ensure the device works properly. To ensure data protection for the client and to abide by data protection regulations, it also requires that all data be removed from the devices before transferring ownership or before disposal of the device. All this effort is done to increase the selling price, decrease returns, ensure data security, and ensure compliance with regulations like HIPAA and the EU GDPR

According to the iSigma website, “NAID AAA Certification® verifies secure data destruction companies’ services’ compliance with all known data protection laws through scheduled and surprise audits by trained, accredited security professionals, fulfilling customers’ regulatory due diligence obligations.”  

Obtaining NAID AAA certification starts with meeting all the requirements within the  i-SIGMA Certification Specifications Reference Manual. Section 4.6 of the manual outlines specifications applicable to sanitizing hard disk drives and solid-state drives via data erasure. 

These certification requirements include having a written, verifiable process that covers:

The manual also specifies the audit methodologies employed when verifying compliance. These methodologies include employing professional data recovery tests on overwritten drives to make sure that no data remains.

NAID certification is rigorous but required to be eligible for downstream data coverage that protects ITADs and their customers. Without data erasure processes that completely and consistently remove data from IT assets, service providers will not be certified, and customers may be left vulnerable. 


Using contracted service providers for data destruction, storage, and many other data-related services will continue to grow in popularity because of the cost savings to organizations. These services will continue to require insurance products that adequately cover liabilities. 

As a vendor to ITADs and other service providers, Blancco is proud of the software-based data erasure we provide. By ensuring that all data securely and permanently erased and beyond recovery, as well as meeting the high standards set for audit-ready verification, we assist ITADs in receiving their NAID AAA certification to qualify for downstream data insurance coverage.

NAID is a professional association that champions the protection of personally identifiable information, intellectual property, as well as regulatory compliance for data service providers and certifies members if they reach industry standard protocols. 

This article was originally published September 25, 2020, and was updated for clarity and alignment with Blancco capabilities November 15, 2022.