When dealing with regulatory legislation like the EU General Data Protection Regulation (GDPR), which is more important: ensuring your organization is compliant or being properly insured? Both are obviously necessary strategies for your business to ensure its continued welfare. That is why we have made GDPR an important and ongoing focus here on TechGenix with articles about GDPR privacy principles you need to know about, what GDPR means for mobile data, how GDPR can affect companies across borders, and many other recent articles we’ve published on our site.
But while most of our coverage has focused on various compliance issues, assuring 100 percent compliance with any body of regulations as complex as GDPR involves a certain degree of risk. Hence the need to ensure your business has adequate insurance coverage to handle those situations where your compliance efforts have fallen short for one reason or another. So how do we navigate this compliance vs. insurance tightrope?
Let’s start by taking a closer look at what’s involved on the compliance side of safeguarding your company from imploding because of GDPR-associated problems. We all know, of course, that how to ensure your organization is compliant with GDPR and similar privacy regulations isn’t as simple as checking off a bunch of action items on a list. In fact, there are actually three things you need to consider concerning compliance.
Your first consideration, of course, is to review and understand the regulations themselves. That’s simple, you just read them through and make sure you understand them. Should only take you a few hours, right? Wrong!
That’s not all, however. Another important consideration is that you need to be aware of how the regulations are interpreted by the regulators (governing bodies of the EU in the case of GDPR) and by those who are being regulated (businesses and organizations that collect user data). That should keep your legal department busy for a while!
But wait, there’s more! A third key consideration is how the regulations are actually being applied to different kinds of organizations such as native vs foreign companies, large vs small businesses, compliant vs resistant defendants. Here we’re entering into the realm of court activity, judgments, and penalties. For example, Google has recently been accused of GDPR privacy violations by seven EU countries, and this is only the first shot in what is likely to be an enormous volley of GDPR litigation in the coming months. Not everyone believes this first shot is on target, however. For example, Amit Ashbel, a security evangelist for data protection and compliance provider Cognigo, says, “As far as I know, Google does disable tracking by default, and it seems that this is an attempt to catch them on something that is very minor. That said, the problem is so much wider distributed that there is no need to look so hard to find a GDPR regulation breach. Most organizations today are in breach of GDPR regulations by just not knowing where 80 percent of their data is, and thus not managing, protecting or being able to report on it.” So the question that immediately should come to mind for any of us who own or manage companies is: Do you know where your data is?
That last consideration concerning appliance has probably been a major one for many businesses, especially smaller ones who don’t have the budget to hire an army of lawyers to make sure they’re 99.999 percent compliant with GDPR. What I mean is that many organizations seem to be taking a wait-and-see stance toward GDPR — waiting to see how some of the big-name cases play out over the coming months in terms of judgments and penalties awarded.
The problem with that sort of, however, is that in most cases it’s not going to take months for these court cases to resolve — it’ll take years. And meanwhile, companies that haven’t put sufficient effort into ensuring they are GDPR compliant are exposing themselves to the risk of being litigated against themselves.
Hence, of course, the need for insurance to cover such risk and should be an essential part of an organization’s overall security and privacy compliance strategy. “Cyber liability insurance plays a crucial role in any organization’s business plan, especially in today’s modern, digital era,” says Jeff Somers, president of Insureon, a company that provides small business cyber liability insurance. “When hackers enter a network, hold data hostage, or acquire sensitive information, the business they steal from can be held liable for the incident. Cyber liability insurance can help companies survive potentially damaging cyberattacks and data breaches by assisting with recovery expenses, including customer notification, credit monitoring, fines, and legal fees.” And concerning cyber insurance and GDPR, Jeff says, “Many aspects of GDPR can be covered by a solid cyber liability insurance policy, which is good news for any business that carries this type of insurance. However, it’s important to note that policies can vary drastically depending on the insurance provider and business’s needs, as there’s not a one-size-fits-all cyber policy for every business. Policies won’t protect against some GDPR violations, such as failing to hire a data protection officer. To ensure that your business is truly prepared, talk to your insurance provider to make sure your coverage aligns with your GDPR preparations.”
As with any kind of insurance, there are also some things you need to keep in mind concerning cyber insurance. These considerations closely parallel those I mentioned previous concerning compliance with regulations like GDPR. For instance, your first concern should be to make sure you know what you’re insured against, that is, to know what your policy says. That should only take a few hours provided you have a lawyer who can translate your policy into plain old English or whatever language your policy is written in. A second consideration, however, is how the exact words of your policy are interpreted, both by you and by your insurance provider. Don’t automatically think that what you believe a sentence means is how your insurance company interprets the text of your policy. When in doubt, get your organization’s legal department involved again. In fact, why not move them into the guest bedroom of your house since you’ll likely be spending a lot of time with them in this new GDPR era.
And while cyber insurance is clearly important for most companies to have, it certainly isn’t a panacea for offloading the GDPR-related risk your organization faces. For example when I asked Shane Nolan, senior vice president for technology, consumer & business services at IDA Ireland what he felt was the importance of having appropriate cybersecurity insurance as part of one’s overall strategy for ensuring compliance with GDPR and similar regulations, he acknowledged that insurance was important for such purposes but also warned companies about being naive. “Any type of insurance is important, but for companies to assume that getting an insurance policy covers them completely is naive,” Shane says. “Insurance is just one part of an overall suite of things to indemnify organizations against cyberattacks, but companies need to ensure that they have done their own groundwork in terms of locking down their network and protecting the data in the first place. Depending on what you want to cover is that there is a long shopping list of things that insurers will cover but for smaller midsized companies the cost could be potentially prohibitive.”
I asked Shane how he has seen smaller businesses dealing with this situation. “What we are finding is that for smaller and midsized companies that feel the need to have sophisticated protections for data and their network, they are all migrating to cloud environments. Top-end network security infrastructure costs a lot of money and if you are a large company it’s easier to swallow. What we are seeing is, particularly as we engage with public cloud providers, that have massive operations in Ireland such as Amazon, Google, Microsoft and others is that midsized companies are putting more of their online and digital activity into a public cloud environment because the scale of the public cloud providers is such that a smaller company can have their network and the data locked down at a level that could be prohibitively expensive otherwise. The larger companies have high standards and, in turn, will have their own indemnity cover.”
While GDPR has certainly been top of the list in the minds of most companies lately, it’s not the only privacy consideration organizations should worry about. “GDPR has certainly focused the mind,” Shane says, “but there were always cyberattacks that happened before GDPR and they will continue to come out. But GDPR has focused the mind because of the potential scale of the fines for non-compliance. The fines are based on global revenue and coincidentally GDPR has come at a time when cyberattacks are becoming more prevalent. The dynamic is such that when cyberattacks happen you tend to find that the majority of companies impacted by them are small businesses and then ironically enough they are the companies that insurance is the most expensive. What we are seeing is that the move to the cloud lowers the risk somewhat for smaller companies and therefore if you have lower risk the costs of indemnifying yourself is lower. That blend is a trend we are seeing for midsized and smaller businesses.”
Compliance vs. insurance: Navigating risk
Risk is a part of any business activity, and GDPR is just another risk that many companies need to face with realism and determination. Having adequate cyber insurance and taking appropriate steps to ensure compliance are just two essential strategies that every organization should implement to ensure they’re able to navigate the risk waters of business without getting sunk.
Featured image: Shutterstock