Earlier this year, the European Union’s General Data Protection Regulation (GDPR) went into effect, placing new obligations on companies and organizations that are doing business in the EU, or with European citizens. North Americans are becoming used to privacy breach notification requirements from government, including PIPEDA, CASL, and soon the Digital Privacy Act here in Canada, but GDPR extends well beyond any regulatory measures in place on this side of the Atlantic. It also requires that users have the ability to access, edit, and delete their private information, restricting how companies gather and store data.
That requirement to give consumers such a large degree of control over their private information creates a technological problem for companies. Many organizations, especially older and larger ones, have complex databases of client information, often stored and managed across several different legacy systems. This makes for a difficult engineering problem on its own.
The potential financial impact of GDPR is no picnic — companies can face fines up to 20 million Euros or 4% of total global revenue, whichever is higher. Time will tell how litigious regulators will be in setting the amount or delivering the maximum penalties, but it will likely depend on factors such as the severity of the non-compliance, any compliance measures the company has put in place, the degree in which the organization fails to put protection mechanisms in place and other factors.
Does my cyber insurance policy protect me?
Many companies are concerned with how their existing policies will respond in the event they are faced with a fine. The short answer is that if a company is working to comply with the regulations, a good cyber insurance policy will protect them. Of course, there are some variables and unknowns, as with any new regulation of this proportion, that remain to be seen.
It is important to note that for a long time, cyber policies have been used to cover penalties resulting from breaching privacy laws like the GDPR, and on a global basis. The problem is that the policy wordings and coverage can vary widely. Here are some things to be aware of when it comes to cyber policies and the GDPR.
- Privacy breach or privacy violation? This is a small but important distinction. In cyber policies, typically the “privacy law” definition is limited to laws regulating privacy breaches specifically. The privacy issues that GDPR regulates are much broader, including data storage, editing, and accessing. The good news is that insurers will often cover those additional exposures with a “wrongful collection” extension, which should also include allegations of improper data storage and handling.
- How far does the regulatory coverage extend? Some policies have a narrower trigger for regulatory fines and penalties than the general privacy liability coverage, and it is limited specifically to fines related to privacy breaches. The policy should address privacy violations that encompass everything related to data handling.
- Do you have “most favourable venue” wording? This provision underlines the insurer’s willingness to pay a fine or penalty whenever possible. They typically affirm that the insurer will assess a claim’s insurability based on any reasonable venue — such as the company’s location, or where the claim occurred. Make sure you read the policy carefully — some insurers have released a “GDPR endorsement” that does not actually address any of these issues.
The murkier side of GDPR
Everything covered to this point has been pretty straightforward, but there are nuances and unknowns that only time will clarify. Two other issues that may come up are limit increase and the insurability of fines.
Should a company increase their limit? It depends. The highest fines and penalties will get under GDPR is 4% of global revenue. That maximum penalty will likely only be levied against the worst repeat offenders, with 2% against minor infractions, but until the laws are prosecuted, there’s no way to know for sure. Limits should be revisited to take into account the worst possible scenario.
Many types of insurance do not cover fines and penalties for privacy violations — cyber insurance has been the exception to this rule in the past. But it is possible that a regulator will not allow insurance to cover the fine in order to properly punish the offender. In that case, though the fines themselves may not be insurable, insurance becomes a critical tool to manage costs related to non-compliance and any losses resulting from business disruption. Those could include regulatory investigation, remediation, legal fees, and the typical costs that accompany compensation and notification to impacted data subjects.
To add one more layer of complexity, there is the additional question of the regulator’s motivation, which can vary by jurisdiction. In some European countries, the proceeds of the fine go directly to the regulator, in which case they’re more likely to be flexible when negotiating. In other countries, the fine is passed to another body, making the regulator more likely to be punitive. Any organization facing a fine from the new laws would be wise to seek qualified legal counsel that understands both the issue and the regulator pursuing the claim. The insurance policy is designed to cover those defense costs.
Clive Bird is an insurance risk specialist, investor, entrepreneur, and product developer for hard to place insurance risks.