In early December, a division of Chartis Insurance (the artist formerly known as AIG), announced that it would offer a new insurance product focused upon evidence spoliation. Interestingly, the product is designed to guard against claims arising from direct physical loss or damage to items that serve as material evidence in a legal proceeding. Perhaps it’s the geek and the recovering attorney in me, but a couple of things are notable in this offering.
First, as with any insurance product, there must be a triggering event. The event here is where the insured party is alleged to have breached its professional duty of care related to the preservation of property that is deemed to have evidentiary value. The insurance would protect against liability for monetary damages and settlement, as well as defense costs for claims alleging a breach of professional duty.
Second, to be clear, this is not insurance that obviates the need for controls or proper handling of sensitive information, though the level of controls maturity will clearly affect how premia are rated. This product, at least as initially introduced, does not appear to be aimed at entities protecting their own data. This insurance offering appears to be geared toward organizations that are “conducting analysis on the property of others” and who, as a result of this analysis, may find themselves “exposed to spoliation as a separate tort” (i.e., sued for the harm caused by losing another party’s stuff—either by the party who owned the lost stuff or by a third party). In legalese, this insurance protects against claims arising from the failure to preserve property of evidentiary value belonging to others that is in the care, custody, and control of the insured. (Hint: Think engineering firm or research group conducting a form of benchmarking on data provided by a company.)
Despite the ostensible target market, it will be interesting to see how other vendors (especially so-called “cloud” vendors) react to this sort of insurance offering. Indeed, there is the old saw—certainly trotted out with great frequency during the heyday of Sarbanes-Oxley compliance—that while you can outsource processes and services, you cannot outsource the risks related to same. So, this leaves us with the question of whether the (potential) availability of such an insurance product to cloud vendors (and other third parties in possession of sensitive and valuable data) will decrease the diligence of these providers in the protection of these sensitive data. An even bigger question is what companies hoping to outsource to such vendors should do about this. It definitely will be an interesting area to monitor over the near term.