Europe’s General Data Protection Regulation (GDPR) came into force in May 2018. It has placed unprecedented obligations on organizations that do business within the European Union or with EU citizens. Companies have long recognized their responsibilities to protect user information. GDPR, however, goes well beyond the data protection and privacy requirements that companies in other key jurisdictions such as the U.S. are familiar with. GDPR may be an EU law but it’s fast becoming a de facto global standard. One area GDPR is having a big impact is cyber insurance.
Risks introduced by GDPR
GDPR forces companies to think about their data collection, data storage, and data use processes, and how that affects their customer’s privacy. It places enormous power in the hands of consumers by giving them the right to access, rectify and delete their personal information held by any organization.
Perhaps the riskiest requirement of the GDPR from a company’s standpoint is the user’s right to be forgotten. A customer can contact an organization and invoke this right. The organization would have to look at all the different platforms where the user’s data may be stored so they can get rid of it. This doesn’t seem hard to do for one user.
But what if millions of customers file such requests simultaneously? The numbers would be staggering even for the largest corporations. It can be especially difficult for old established organizations where the customer’s data is likely to be present in a wide range of legacy and obsolete systems.
Yet, noncompliance with GDPR is expensive. Regulators can fine an organization as much as 4 percent of its annual revenue. For a business with a turnover in the billions of dollars, this can translate into hundreds of millions of dollars. The danger posed by such hefty noncompliance fines is driving demand for GDPR cyber insurance for businesses whose main customer base is in the Europe Union.
The role of GDPR cyber insurance
Cyber insurance coverage can cover everything from the repair of software and hardware after a data breach to the reimbursement of legal costs, public relations expenditure, and lost business. Lloyd’s of London estimates that annual cyber insurance premiums in Europe could surpass $2 billion by 2020. GDPR compliance risks will be a major driver.
The good news is that companies that have already taken up a cyber cover will find that many aspects of GDPR are already taken care of by current policies. Nevertheless, as with every major change in the regulatory environment, there remain some unknowns.
Cyber insurance covers penalties and fines associated with violation of privacy and data protection laws. Still, before you consider a policy a good match for your GDPR cyber insurance requirements, read the fine print. There’s significant variation in the nature of cyber insurance policies. If your current policy does not meet your expectations, seek a more comprehensive cover.
Checking a cyber insurance policy for GDPR compatibility
When evaluating a GDPR cyber insurance cover, make sure the policy clearly addresses the following.
1. Definition of a privacy regulator
Cyber insurance companies often include “foreign” or “international” entities on their list of qualifying privacy regulators. Some will be more specific, especially as relates to GDPR, and explicitly include European Data Protection Authorities (DPAs). This is done to give the insured comfort that the policy they are signing up for does take care of GDPR. In reality, though, spelling out European regulators isn’t usually a material change.
2. Privacy violations vs. privacy breach
Privacy violation and privacy breach are often used interchangeably but the two do not mean the same thing in legalese. In many cyber insurance policies, the term “privacy law” is understood to refer to the laws and regulations that govern privacy breaches. GDPR, however, covers a broader set of privacy concerns including specifying how data in its various states is managed throughout its lifetime.
Insurers are already expanding their policy coverage to accommodate these new kinds of exposures. Nevertheless, even revised insurance policies may not cover all GDPR privacy violations. For example, you are unlikely to get coverage for the failure to designate a Data Protection Officer, a GDPR requirement for organizations that are involved in the large-scale processing of data.
3. Most favorable venue for penalties and fines
GDPR penalties and fines apply to businesses based in the EU and those with EU citizens as customers. The most favorable venue provision is the section of a GDPR cyber insurance policy that signals an insurer’s intention to pay a fine or penalty whenever possible.
In other words, the insurer will factor all reasonable venues before they decide whether a penalty or fine is insurable. These factors include the event’s location, the company’s headquarters, or where the business is incorporated. Policies haven’t always included this provision or language. However, a growing number of insurers are showing their willingness to do so, which is crucial for GDPR compliance.
4. Is the limit sufficient?
GDPR’s penalties and fines top out at 4 percent of a company’s global revenue. For the largest corporations, this can translate into billions of dollars. Of course, regulators are reasonable. Regulators will likely reserve the maximum penalty for the most brazen violations and repeat offenders.
Still, it’s impossible to be completely sure how regulators will assess each violation and thereby determine the appropriate fine. Ergo, large companies should review the limits of their GDPR cyber insurance cover to see how it would stack up against a maximum fine.
5. Critical vendor GDPR cyber insurance
Cyber insurance policies aren’t compulsory anywhere in the world. Nevertheless, contractual obligations and business continuity considerations due to GDPR may compel businesses within the EU to not only take up a GDPR cyber insurance cover but also demand their local and international vendors do the same.
If a critical vendor violates the EU’s privacy laws, the magnitude of the fine could force them out of business. This would negatively impact the operations of the companies they serve. Making sure that all critical vendors have cyber insurance cover that’s compatible with GDPR compliance is therefore vital. It eases the business continuity and disaster recovery process.
6. Penalties and fines may not always be insurable
Even before GDPR, cyber insurance policies explicitly covered penalties and fines associated with privacy breaches. But just because a policy covers these costs and the insurer is willing to pay doesn't mean they will pay.
A regulator may insist that a GDPR cyber insurance cover not be used to pay for a fine. This is intended to exact a painful punishment on the offending company to make an example for other organizations. Therefore, as much as your policy may cover the cost of GDPR noncompliance, it may be helpful to ensure your business has healthy enough cash flows and reserves to withstand a punitive penalty or fine.
Cyber insurance and GDPR: Be ready for the unknowns
Looking at the above, it’s clear that GDPR will drive some changes in how and why businesses take up cyber insurance. As with any new law, there will be some unanticipated situations. The key to keeping your business in the clear is to make sure you have covered all the knowns while bracing yourself as best as you reasonably can for the unknowns.
Featured image: Shutterstock