Can you insure against GDPR fines?

May 25, 2018

You will no doubt have received a number of emails from various organisations asking you to give your consent to stay in touch.

General Data Protection Regulation (GDPR) replaces the UK’s Data Protection Act 1998 and all other national data protection legislation in the EU with effect from 25 May 2018. The key purpose of the GDPR is to govern how personal data is used.

Personal data is any data (whether automated or manual) that can directly, or indirectly, on its own or when combined with other data, identify a living person, e.g. an email address, password, survey, purchase history or telephone number. It is worth noting that the UK government is bringing in its own legislation to retain the principles of the GDPR after Brexit so this isn’t something that will go away any time soon!

The GDPR will be enforced by the Information Commissioners Office (ICO) and data breaches must be notified to the ICO within 72 hours (chronological, not business hours) and to the data subjects without undue delay. Businesses using a high volume of personal data will need to appoint a data protection officer.

Experts anticipate an increase in hacking activity once GDPR is live as criminals look to extort companies by negotiating against potential ICO fines following a data breach.

Will insurance cover the cost of a data breach?

Insurance cover for data breaches can fall under either Directors & Officers insurance or Cyber Liability insurance, however, there are significant differences in the cover provided across the two types of policies:

Directors & Officers coverage

Under these policies, insurers’ standard wordings purely cover your defence and investigation costs following a breach, although some insurers do also include cover for the cost of contacting your customers and suppliers as legally required following a data protection breach. In our opinion, most directors & officers policies are not really designed to fully cover your exposures following a data breach. However, equally, not all GDPR breaches will be as a result of a cyber event – such as your organisation accidentally emailing data to a third party.

Cyber Liability coverage

As the name suggests, cyber liability policies are specifically designed to protect you in the event of a “cyber event”. Cyber insurers also have incident response teams who help companies in the event of a breach and we expect these services to positively impact on how the ICO views a company’s reaction to an incident.

In addition to the defence costs covered under a directors & officers policy, cyber policies provide the following additional areas of cover:

  • Specifically, in respect of GDPR: Breach costs – losses incurred by you (other than uninsurable fines) if you suffer from the unauthorised access, use or disclosure of personal data;
  • Cyber business interruption – if your business suffers from an interruption as a result of a cyber-attack from a third-party or a hacker, cover is available for your loss of income and increased costs of working;
  • Hacker damage;
  • Cyber extortion including denial of access;
  • Media liability – cover for infringement of intellectual property rights, defamation or negligent transmission of a virus due to hacker damage;

Does the cover extend to include GDPR fines?

Penalties for breach of the regulations could be severe – as much as the higher of €20 million or 4% of worldwide turnover.

At present, most insurers offering directors & officers and cyber liability policies are confirming that ICO fines are insurable unless a court rules otherwise. However, regulatory fines are generally not insurable in the UK so the current legal position on whether the fines would be covered is still far from clear. In our opinion, there will need to be legal test cases before anyone is able to ultimately define the cover being offered around ICO fines.

How the ICO fine companies is expected to be led by the nature of the breach.  As a data processor, you are expected to have sufficient systems in place to prevent data breaches so if you have chosen to cut corners and left your systems open to third parties, it may be argued that you have taken insufficient care which would almost certainly result in some form of fine. However, if you had invested in firewall software, actively tried to keep personal data securely stored and engaged experts following an incident (either independently or via cyber insurers), general opinion is that the ICO will work positively with a company following a breach.

What should you do next?

Speak to Yutree Insurance to discuss Cyber Liability and Directors & Officers insurance
Check that any existing personal data held by or on behalf of your business is opted-in AND that that you can verify its source AND user acceptance of the terms on which it is held.
Institute a process for re-permissioning existing data so that it is GDPR compliant.
Put a procedure in place to ensure that no non-compliant data is used after 25th May 2018.
Ensure any personal data collected in future has an audit path to demonstrate GDPR compliant consent.
Ensure that any consents are granular, i.e., that data subjects consent to the specific brands and services to which they wish to opt-in.
Revise all contracts with third-party data controllers or processors to ensure that they are GDPR compliant and indemnify your business (as far as the law allows) against any GDPR breach by them.
Introduce data protection impact assessments where processing is likely to be high risk in GDPR terms.
Design GDPR processing systems into all new projects involving personal data.
Put in place GDPR compliant data-breach procedures.
The ICO provides some useful guidance on their web site.

Author: Simon Miller, Director, Yutree

Tags: , , ,

News & Insights

A hub for Yutree and industry thinking