GDPR Liability, Data Protection, and Fines: Will My Cyber Insurance Cover Them?

When the General Data Protection Regulation (GDPR) went into effect on May 25th, 2018, significant new data protection obligations were placed on companies doing business in the EU or with European citizens. Adopted in 2016 after a lengthy debate among EU member companies, GDPR goes far beyond the data breach notification requirements that we are familiar with in the US. In addition, it places restrictions on how companies collect and manage data, requiring that consumers have the ability to access, correct, and delete private information.

Companies have long been aware of their obligations to protect data, but the complexity required in allowing consumers to access, change, and delete their data is a major technological challenge, particularly for mature companies with data stored in myriad legacy systems. At the recent Advisen Cyber Risk Insights Conference, one attorney noted that GDPR is a massive engineering problem being managed by a bunch of privacy lawyers.

What are the potential penalties?

Perhaps the most alarming aspect of GDPR is the potential for significant financial consequences. Companies found to be in violation of the regulation can face fines of up to 4% of their total global revenue. While no one can predict how aggressive regulators will be in determining fines, it should be noted that several EU member countries, including Germany, Ireland, and France, have proposed capping fines at 7-9% of global revenue, so they may feel that 4% is already an effective discount.

So, am I covered?

With the May 2018 effective date of GDPR looming, many companies are asking questions about how their insurance policies will respond.  The good news is that there are many aspects of GDPR that should be covered by a solid cyber insurance policy. As you might expect, however, there are also some big unknowns.

To start, cyber insurance policies have long been proactive in offering coverage for fines and penalties associated with violations of privacy laws. Further, most cyber policies are written on a global basis. Sounds like we’re all good, right?

Not so fast.  As we’ve explained in prior blog posts, cyber policies are anything but standardized, and this is an area where potential differences in language could significantly impact coverage.  Here are the key things we are evaluating in cyber policies with respect to GDPR:

• Who is a privacy regulator? Many cyber policies include “international” or “foreign” entities in the list of potential privacy regulatory bodies. Often, cyber insurers will specifically add European Data Protection Authorities (DPAs) by endorsement to make the policy sound GDPR-savvy, but in most policies, this is not a material change.
• Privacy breach vs. Privacy violations. One important nuance is that the definition of “privacy law” in cyber policies is generally limited to laws regulating privacy breaches.  GDPR will impose rules around a much broader set of privacy issues, including how data is stored, managed, and accessed.  Insurers are now willing to expand coverage to include claims related to these exposures.  This extension is often referred to as “wrongful collection” coverage, but should also include allegations of improper storage and handling of data.
• Scope of regulatory coverage. Similarly, we’ve seen a few policies where the trigger for regulatory fines and penalties was narrower than the general privacy liability coverage and specifically limited to fines related to privacy breaches.  The policy should clearly address privacy violations related to all aspects of the handling of data.  Note that cyber policies will likely NOT cover some GDPR violations such as failing to hire a Data Protection Officer (a requirement for companies that conduct “large-scale processing” of personal data).
• Most favorable venue wording for fines and penalties. Commonly found in D&O and EPL policies where coverage for punitive damages is available, a “most favorable venue” provision reinforces the insurer’s intent to pay a fine whenever possible.  Such provisions usually state that the insurer will take into consideration all reasonable venues to determine the insurability of a fine or penalty, such as where the company is located, headquartered, or incorporated, or where the claim or event occurred.  Cyber policies do not consistently include this language, but insurers are increasingly willing to add by endorsement.

We’ve seen a few insurers release a “GDPR endorsement” that essentially just puts the term “GDPR” into the policy without addressing any of the above issues, so be sure to read beyond the title of an endorsement!

Other less-clear GDPR considerations

Some questions that may come up include:

• Will we need more limit?  Fines and penalties under GDPR max out at 4% of revenue. While we assume that the maximum fines will be reserved for egregious and repeat offenders, there is no way to know what fines might be assessed for more incidental violations. Companies should review their limits to consider the possibility of a catastrophic fine.
• Are fines and penalties insurable?  Contrary to most types of insurance, cyber policies have long explicitly covered fines and penalties for privacy violations. There is always a risk, however, that a regulator will insist that insurance should NOT be used to pay a fine so that the fine will have the intended punitive effect. To date, that has not been the case with privacy breach fines in the US.  Some observers have suggested that European DPAs may take a different tack, particularly where they are looking to make an example of companies as the law first takes effect.  Even if you have the “most favorable venue” wording described above, a regulator may refuse to settle a case until a company agrees not to seek insurance coverage for the fine.
• Do we need local policies?  Cyber policies in the US are written on a global basis, meaning they will respond to claims and cyber events that happen anywhere in the world.  And unlike workers’ compensation and auto liability insurance, cyber is not (yet) compulsory.  This means that companies are generally not buying local policies. Contractual requirements could change that. As European companies wrestle with GDPR, they may start to demand that their vendors buy cyber insurance from local sources to ease recovery. Local policies do not generally add a lot of costs, but they add administrative complexity.

When it comes to GDPR from a cyber insurance perspective, there are some easy answers and some difficult questions. It seems reasonable to assume that there will also be some unanticipated consequences as the law comes into effect. We’ll be watching closely to see what new challenges arise and how the cyber insurance market responds.