What does the GDPR deadline mean for your insurance?
Many of you are aware this past Friday, May 25th was the big GDPR compliance deadline. As a result, several clients have inquired whether their insurance would provide coverage for claims associated with this new law.
If you’re a US company doing business in the EU, or with European citizens, here is what you need to know about GDPR on the insurance side….
It falls under (U.S.) cyber coverage.
I’m going to first debunk the myth that companies are purchasing standalone GDPR coverage. The type of insurance providing US companies with coverage for GDPR-related liabilities would be a well-written cyber liability insurance policy. Cyber insurance is also written on a global basis, meaning your U.S. policy should respond to claims that occur anywhere in the world.
Review your cyber policy & understand what’s covered.
Cyber insurance is continuously evolving and, in many ways, is non-standardized. A claim that’s covered by one type of cyber policy is often declined by another. Therefore, it’s highly important for every company purchasing cyber insurance to have an intimate understanding of what claim scenarios are covered as well as plan their own insurance response to a cyber attack.
The good news is GDPR compliance doesn’t preclude coverage. A well-written cyber insurance policy should provide coverage for many aspects of GDPR. If you currently have a relatively comprehensive cyber policy, it should already include many of the coverages you’d want applying to a GDPR-related claim. This could potentially include covering defense costs, 3rd party liabilities arising from a breach, business interruption, the cost of notification, and coverage for fines and penalties (subject to what’s allowed by law – more to come here).
Again, now is the time to review your policy with your current provider or an attorney that specializes in this area. It appears that potentially insured liabilities arising out of GDPR non-compliance are going to get costly!
Know your territory (fines & penalties)
In the States, top insurance carriers have already been defending as well as providing coverage for the fines and penalties associated with privacy law violations. Cyber policies are not yet excluding GDPR, and generally include foreign privacy as part of the regulatory coverage. This aspect leaves many believing their policy is providing coverage for GDPR-related fines. However, it’s important to note you are subject to whatever the laws of each EU jurisdiction allow to be insurable. It appears the vast majority of jurisdictions, including the UK, do not allow GDPR fines to be covered by insurance. According to Aon and DLA Piper research, in reviewing a group of 30 jurisdictions the only two which appear to allow GDPR fines to be insurable are Finland and Norway.
You obviously want to make sure your cyber policy provides your defense on this and covers the other key areas noted prior, but make sure you don’t have a false sense of security regarding your insurance coverage for GDPR fines.
Watch your collection of data
GDPR places restrictions on how companies collect data. The wrongful collection of data is something that is generally not covered by cyber insurance. If wrongful collection of data is the reason why you’re not compliant with GDPR, then chances are your insurance will not respond.
Due to demand, there are carriers offering policies that make an exception and specifically provide this coverage for GDPR. We can provide this type of policy if it’s an area of concern, but right now it’s uncommon. Only time will tell what additional changes insurance carriers will make (via endorsement & exclusion) in response to GDPR claims as they occur. We’re certainly expecting a few and will be watching carefully.
Be proactive – avoid claims from ever happening!
The appropriate cyber insurance policy is a critical part of an organization’s risk management strategy around managing the potential costs associated with GDPR. However, it’s important this insurance still be viewed as a final barrier. I recommend consulting with an attorney knowledgeable in GDPR compliance to make sure you’re doing everything you can. This will help to prevent these claims from ever even happening. Please contact me if you’d like a referral in this area: firstname.lastname@example.org