This article was first prepared for the FERMA 2017 event
25th May 2018 saw the introduction of the much-publicised European General Data Protection Regulations (GDPR), the new data protection regime designed to improve the rights of EU citizens with regards to the use and storage of their personal data. These new protections include the right to access their data, the right to have it erased or corrected, and the right to object to profiling and direct marketing.
It firmly places the onus on corporations to look after peoples’ data, introducing compulsory notification for all companies who suffer a data breach, fines of up to 4% of annual worldwide turnover, and a 72 hour regulatory notification requirement. And this doesn’t just apply to EU organisations – any company who holds and processes data about EU citizens will have to comply.
Companies are asking themselves how prepared they are for the new regulations, both in terms of their data breach response plans and the personal data they already hold. One of the UK's largest pub chains recently deleted its customer mailing list because they may not have explicitly consented to receive marketing emails. Risk managers need to work with their IT and marketing colleagues to understand what data they hold, how it’s used and how it’s protected. Companies can retain personal data if it’s still being used for the purpose that was notified to the individual concerned when the data was collected, but must delete personal data when it is no longer needed for that purpose.
The GDPR has increased interest in cyber insurance across Europe, not just to protect against the insurable elements of GDPR, but also for the breach response support. Well-designed policies will include IT, legal and PR assistance during a cyber attack.
We’ve been asked if GDPR fines insurable under our CyberEdge policy. Standalone cyber insurance will cover fines to the extent they are insurable by law. However, the extent to which insurance proceeds can be used to recoup the costs of regulator penalties under the GDPR is a grey area which will need to be tested in the courts.
For companies with large amounts of personal data, notifying individuals of a breach which is ‘likely to result in a high risk to the rights and freedoms of individuals’ will be expensive and time-consuming. These costs are insurable under a cyber policy, including follow up credit and ID monitoring.
In terms of liability claims, anyone who suffers material or non-material damage as a result of a data breach (including distress), will have the right to receive compensation from the company involved. A cyber policy will cover the defence costs and liability claims resulting from a breach of confidential information.
These stricter data protection laws mean the financial consequences of a data breach will increase the loss estimates attached to data protection on a company’s risk register. Risk managers should examine the effectiveness of cyber policies already bought, especially indemnity limits. Whereas buyers of cyber policies would start with limits of between £10-20 million, we’ve recently seen new buyers starting with cover in excess of £200 million.
Across the globe boards are becoming increasingly conscious that they could be held personally liable for a cyber breach. So far four cases have been bought against directors in America for cyber hacks, including Target and Home Depot executives. Although all four cases were dismissed and settled out of court, given that data breaches are an established feature of corporate life, cyber related D&O litigation is expected to continue in the US.
Will this trend be repeated in Europe? The financial impact of a major data breach can be huge, with the average cost of a data breach hitting $4 million according to IBM, so directors should be concerned about their fiduciary obligations. An effective D&O policy which doesn’t contain any specific exclusions will cover a data breach though. It’s going to be interesting to see whether there will be any successful D&O claims as a result of non-compliance with GDPR. Even if a claim isn’t successful, the cover against the cost of mounting a defence will prove useful.
Risk managers should be talking to their boards to educate them about GDPR and their new obligations. If they can show that they take cyber security seriously, and have robust defences in place, then they are protecting their personal liability. Some clients have purchased cyber insurance to demonstrate this commitment to cyber security.