At long last, the GDPR effective date is only weeks away. As companies continue to work towards compliance, many are realizing that despite their best efforts, the odds of achieving and perpetually remaining in 100% compliance are slim to none.
As with any massive compliance undertaking, mistakes and missteps related to GDPR requirements are inevitable, especially in a world where data volumes, connectivity, mobility, and risks continue to increase. Given this reality, companies should think long and hard about transferring some of their GDPR-related risks through insurance.
It’s critical to note, though, that finding comprehensive coverage for GDPR exposures requires careful analysis. That undertaking should include a review of the various mandates contained in the GDPR, as well as the company’s practices around protected data, its insurance policy(ies), and the law governing interpretation of those policies. Importantly, even companies with cyber insurance may not have optimal GDPR coverage in place.
GDPR Insurance Coverage Checklist
An analysis of insurance coverage for a company’s GDPR risks should be comprehensive and include the following issues:
- Data Breach Liability
Compliance with the GDPR’s rigorous breach response requirements (see Articles 33 and 34) may be quite costly and certainly will require a high level of expertise. Companies will likely have to retain legal counsel, forensic, notification, public relations, and credit monitoring professionals, and the company may experience an interruption of its regular business operations.
Most cyber insurance policies provide excellent coverage for a company’s own costs and third party liability related to a data breach. Many insurers also have a pre-vetted team of breach response professionals at the ready to assist an insured in the event of an incident. Coverage for associated regulatory actions, industry fines, reputational harm, and business interruption may also be provided. Not all policies are created equal, however, so a careful review of the applicable policy for relevant and thorough coverage is important in light of the GDPR’s breach response provisions.
- Data Practices Liability
Although a lot of attention is placed on the data breach requirements in the GDPR, GDPR liability also can arise from the company’s practices around its collection, storage, and use of protected information. While most cyber policies provide excellent coverage for data breach risks, they may not provide coverage for liability related to a company’s data practices, even if the policy provides some regulatory coverage. Analysis of coverage for this exposure should include a very careful review of the insurance policy’s insuring agreements in conjunction with its definitions and exclusions.
- GDPR Fines and Penalties
Virtually every discussion about the GDPR emphasizes the massive fines that may be imposed pursuant to Article 83. Depending on the violation at issue, the GDPR provides for fines up to 20 000 000 EUR or 4% of the total worldwide annual turnover of the preceding financial year.
Insurance coverage for these fines and penalties requires a comprehensive and thoughtful analysis. The answer to the coverage question will turn on a number of issues, including the following:
* What does the policy say about coverage for regulatory fines and penalties related to a breach, a disclosure, and data-use practices in the absence of a breach or disclosure?
* If there is an intentional violation of the GDPR, will the bad actor’s intent be imputed to the company and potentially trigger an exclusion?
* Will a GDPR fine be considered punitive or compensatory? For insurance coverage purposes, it may be relevant that Article 83 notes that any fine should be “effective, proportionate and dissuasive.”
* Does the policy specify a choice of law with regard to interpretation of the policy and/or coverage for fines and penalties?
* Does the law applicable to interpretation of the insurance policy at issue permit coverage for punitive damages?
* Are there work-arounds if the insurer can’t or won’t provide coverage?
How We Can Help
Coverage for GDPR liabilities is a complicated but crucial issue for today’s companies. The right coverage can help a company respond in a compliant manner to a breach and provide vital protection from the potentially devastating losses that may arise from a regulatory violation.
We can assist with analysis of your existing insurance policy(ies) to determine how your coverage stacks up to its GDPR exposures. If coverage is lacking, we can work with your broker and insurer to reduce uncertainty and maximize insurance protection for potential GDPR liabilities.