The Data Security Gap in Insurance Claims
When a laptop is dropped, a server is damaged by water, or IT equipment is involved in a fire, the immediate response typically focuses on the insurance claim. Getting the damaged equipment assessed, filing the paperwork, and securing a replacement is the priority. What often gets overlooked in this process is the data still stored on the damaged device, and where that device ends up after the claim is processed.
Insurance claims on IT equipment frequently require the damaged device to be surrendered to the insurer or their appointed assessor. Once the device leaves your possession, you lose control over what happens to the data stored on it. The insurer may send it to a repair facility, sell it as salvage, or dispose of it through channels that have no data security protocols. Your business data could end up in the hands of anyone who encounters the device along the way.
How Insurance Claim Processes Create Data Exposure
The standard insurance claim process for IT equipment typically involves several stages where data exposure can occur. First, the damaged device may need to be inspected by an assessor, either at your premises or at an external location. During this inspection, the assessor or their technicians may power on the device and access its contents to verify the extent of damage.
Second, if the claim is approved and the device is written off, the insurer takes ownership of the salvage. Damaged equipment that the insurer now owns may be sold to salvage dealers, recyclers, or refurbishers. These secondary parties acquire the physical device along with any data it contains.
Third, even devices that appear severely damaged may still contain recoverable data. A laptop with a cracked screen and broken keyboard may have a perfectly intact hard drive or SSD. A water-damaged server may have drives that, once dried, are partially or fully readable. Fire-damaged equipment can also yield recoverable data depending on the severity of the heat exposure.
Fourth, during the claim process, documentation about the device and its contents may be shared with the insurer, assessors, and adjusters. If this documentation describes the types of data stored on the device, it creates awareness of the data’s value that could be exploited.
Your Obligations Regardless of Insurance Status
The Australian Privacy Act requires you to take reasonable steps to protect personal information, and this obligation does not pause because you are making an insurance claim. Surrendering a data-laden device to an insurer without taking steps to protect the data on it could constitute a failure to take reasonable protective measures.
Similarly, if the device stored payment card data, PCI DSS requirements apply regardless of the device’s physical condition or insurance status. The obligation to render cardholder data unrecoverable on media leaving the organisation’s control applies whether the media is leaving voluntarily through disposal or involuntarily through an insurance claim process.
Your insurance policy itself may also be relevant. Some policies include provisions about data, and some exclude liability for data breaches resulting from claimed equipment. Understanding what your policy covers and does not cover helps you assess the full risk profile of surrendering equipment.
Protecting Data During the Claims Process
The ideal approach is to perform data destruction on the damaged device before it leaves your premises, even if it is being surrendered to the insurer. If the device is functional enough to connect a data sanitisation tool, perform a NIST 800-88 compliant wipe before handing it over.
If the device cannot be wiped via software due to the extent of physical damage, consider removing the storage media (hard drives or SSDs) and retaining them for separate destruction. You can surrender the rest of the device for the insurance claim while keeping the data-bearing components under your control. Discuss this approach with your insurer beforehand, as some policies may require surrender of the complete device.
If the insurer insists on receiving the complete device including storage media, negotiate data destruction provisions into the claim process. Request that the insurer arrange for certified data destruction of the storage media before the device enters any salvage or resale channel, and that a certificate of destruction be provided to you.
Document the data types stored on the device before surrendering it. This documentation helps you assess the risk if the device’s data is subsequently accessed and provides a basis for any notifications that may be required under the Notifiable Data Breaches scheme.
Working with Insurers and Assessors
When lodging a claim for IT equipment, proactively raise data security with your insurer. Explain that the device contains sensitive business data and ask what provisions the insurer has for data protection during the claims process. Many insurers have not thought deeply about this issue, and raising it early gives you the best chance of a reasonable outcome.
If an external assessor needs to inspect the device, request that the inspection occur at your premises rather than at an external facility. This keeps the device under your control for as long as possible and allows you to oversee what access the assessor has to the device’s contents.
For organisations that regularly claim on IT equipment, consider negotiating data destruction provisions into the insurance policy at renewal. Specifying that the insurer will arrange certified data destruction on any salvaged equipment, or that you retain the right to remove storage media before surrender, protects your position for future claims.
When Devices Are Stolen
Theft claims present an even more challenging scenario because the device has already left your control without any opportunity for data destruction. In theft situations, the immediate response should focus on remote wiping the device if MDM capabilities are in place, revoking all access credentials that may be cached on the device, and assessing whether the theft triggers notifiable data breach obligations.
Full disk encryption is the most effective pre-emptive measure for theft scenarios. If the stolen device was encrypted with a strong passphrase or hardware-backed encryption, the data remains protected even though the device is no longer in your possession.
Prevention Through Preparation
The best protection against data exposure during insurance claims is preparation before an incident occurs. Enabling full disk encryption on all devices ensures that physical damage or loss does not automatically mean data exposure. Maintaining a current asset register that records what data types each device may contain allows for rapid risk assessment when a claim is needed. And establishing clear procedures for IT equipment insurance claims, including data security steps, ensures that data protection is not an afterthought in the stressful aftermath of equipment damage or loss.