The stopwatch is running. Companies are scrambling to figure out how the EU’s General Data Protection Regulation (GDPR)—due to go into effect on May 25, 2018—will affect how they do business. Uncertainty and speculation abound; no one knows exactly how the law will be enforced, particularly with respect to companies domiciled outside the EU, with no EU footprint, who process and hold the personal data of EU residents. But while publications are awash with advice regarding compliance, few tackle the question whether your business is protected against loss in the event of a data breach or other unintentional failure to comply. We strongly suggest that your due diligence include a review of your insurance coverage for GDPR non-compliance, especially for fines, penalties and lawsuits (individual or class action). Qualified coverage counsel should assist in the review, but key areas of focus include:
Coverage for Costs of Compliance
Many costs that companies will incur to comply with GDPR simply will not be covered by any insurance. Insurance is designed to respond to fortuitous loss or liability, not ordinary costs of doing business. Thus, for example, coverage likely is unavailable for expenses to adopt and implement data security measures, maintain required records, respond to individuals’ requests to access or delete their data, or hire a Data Protection Officer.
On the other hand, the cost of notification in the event of a data breach is a standard feature of specialized “cyber” insurance policies. The GDPR requires a “controller” of personal data to notify the relevant supervisory authority “without undue delay” and, where feasible, within 72 hours of discovering a breach, unless the breach is unlikely to involve a “risk to the rights and freedoms of natural persons.” Further, where the breach is likely to result in a high risk to such rights and freedoms, the controller also must notify the affected data subjects without undue delay, subject to certain exceptions. Cyber policies generally do cover the cost of notification to individuals. You should examine your policy to make sure that coverage applies in the event of a suspected breach as well as in the case of known unauthorized disclosure. On the other hand, not all cyber policies currently cover the cost of notifying privacy regulators—an important coverage addition to explore with your insurer at renewal time.
In addition, cyber policies typically cover fees for legal advice on compliance with breach notification laws. This coverage is especially valuable for a policyholder facing new obligations under the GDPR.
Coverage for Fines and Penalties
Commentators have expressed doubt whether coverage will be available for GDPR fines, in part because of their sheer magnitude. The GDPR provides for two tiers of administrative fines—the higher topping out at the greater of a whopping €20 million or 4% of global annual turnover for the preceding financial year. The higher tier applies to a wide range of violations, including processing personal data without either the subject’s express consent or one of several prescribed alternative justifications; failure to provide data subjects with transparent information regarding their rights under the GDPR; failure to give the data subject required access to his or her data or to rectify inaccurate data; and failure to comply with the rules governing the transfer of personal data outside the EU. Lower tier fines—up to the greater of €10 million or 2% of global annual turnover for the preceding year–apply to violations such as failure to timely notify the supervisory authority of a breach, failure to cooperate with the data protection supervisory authority, or failure to appoint a Data Protection Officer.
Cyber policies generally do provide coverage for civil fines and penalties imposed by governmental authorities for breach of privacy laws, but there are three key caveats in relation to GDPR. First, many policies limit coverage for regulatory fines and penalties to those imposed as the result of a data breach. Fines imposed for violations of non-breach-related GDPR provisions may not be covered under such policies. A second real concern is whether it will even be possible to obtain full protection. Analysts have noted, for example, that, based on its revenues, a typical FTSE 100 company could face up to £5 billion for GDPR violations. Very large companies may be able to purchase over $100 million in cyber coverage, but probably nowhere near the theoretical maximum of a GDPR fine. Finally, cyber policies commonly contain language barring coverage for fines and penalties unless they are “insurable by law.” The better policies also provide that the insurability of fines or penalties shall be determined by the “laws of any applicable jurisdiction that most favors coverage for such monetary fines or penalties.” Uncertainty nevertheless arises because the insurability of fines such as those imposed by the GDPR largely has not been tested in the courts of EU Member States (or in the US for that matter). For all of these reasons, policyholders and insurers alike should consider enhancement of current policy wordings and limits in light of GDPR.
Also importantly, only civil fines are covered by insurance—criminal penalties almost never are. GDPR administrative fines are civil in nature. But the GDPR permits EU Member States to impose their own penalties for violations outside administrative fines. These penalties may be criminal in nature and most likely would not be covered.
Coverage for Third-Party Liability
The GDPR also confers a private right of action on data subjects for violations of the Regulation. Individuals may seek monetary damages in the EU Member State in which they reside, or in which the defendant data controller or processer has an establishment. Although cyber policies provide coverage for damages and defense costs arising out of third-party claims due to privacy breaches, not all claims for violations of GDPR would be covered under many current wordings. Some policies cover liability arising out of the unauthorized access to or disclosure of personally identifiable information, but do not address the wrongful collection or processing of information in the absence of disclosure, the failure to provide individuals access to their own information or to correct or delete data when requested, or the failure to make required disclosures when obtaining data subjects’ consent. Insurers should consider expanding coverage to include these new exposures.
Cyber policies are a vital source of protection for businesses soon to be subject to the GDPR. But policyholders need to re-evaluate their existing programs, and insurers need to continue to modify policies to maintain their competitive value. Ready or not, the GDPR countdown is on.