On the 25th of May this year, the EU General Data Protection Regulation (GDPR) will come into force putting data protection into the spotlight. The effects of this new regulation and the changes that it brings will be onerous on businesses and will include stricter enforcement of data breach notification. This article takes a look at GDPR, provides an overview of the changes to the current data protection framework and sets out how insurance can play a critical role in a business’s planning and protection for GDPR.
GDPR will create a uniform data protection framework across the EU giving individual’s control of their own personal data whilst enforcing strict rules on those in possession of this data. Though an EU regulation, GDPR will apply to any business that collects data from EU subjects or provides any type of goods or services to any individual within the EU, regardless of whether the business processes or stores the data within the EU or not. The new regulation includes the right for individuals to access their data, the right to be informed, the right to rectify and erase and the right to restrict processing. It firmly puts an onus on business’s to change their perception of data protection and take responsibility to keep personal data secure and ensure that individual’s rights are respected. It introduces a new requirement of compulsory notification for all companies to the supervisory authority (Data Protection Commissioner here in Ireland) within 72 hours after discovery of a breach of personal data and the notification of data subjects without undue delay if the data poses a ‘high risk to their rights and freedoms’.
GDPR also significantly increases the scope and nature of fines for non-compliance. A business potentially will be subject to fines up to €20 million or 4% of total global annual turnover (whichever is higher) for a breach. Individuals and boards of directors also face increased exposure to legal actions, for example, from individuals for data breaches, from shareholders for mismanagement of privacy risk and from regulators.
Cyber Liability insurance provides two very important aspects of coverage in response to GDPR. Firstly, it protects against the insurable elements of GDPR and secondly provides first response and event management support. The insurable elements of GDPR include cover for potential fines, notification costs and third party liability claims. Broad standalone Cyber Liability policies will cover regulatory fines to the extent they are insurable by law. Notification to the supervisory authority and individuals following a breach which is likely to result ‘in a high risk to the rights and freedoms of individuals’ will be both expensive and time consuming, these costs are insurable including follow up credit and ID monitoring. With respect to third party liability claims, following the introduction of GDPR, individuals will now have the right to sue for non-material damage in addition to material damage and will have the right to receive compensation from the business involved. A Cyber Liability policy will cover the defence costs and liability claims resulting from a confidential information breach. The first response and event management support provides a coordinated approach to a data breach including IT, Legal and PR assistance.
It has never been so important given the introduction of GDPR and the increase in cyber-attacks globally that businesses consider a well-designed and broad coverage Cyber Liability policy, not only to cover those risks arising from a breach of GDPR but also for the immediate access to experts provided for under these policies. For any business that already purchases Cyber Liability insurance consideration must also be given to ascertaining if the existing limits of indemnity are sufficient as the financial consequences of a data breach will almost certainly increase under GDPR. GDPR creates a significant exposure for not only Cyber Liability insurance, but also Directors & Officers Liability Insurance. With accountability as a core theme in the new regulation, Cyber Liability is no longer the only relevant insurance to consider and emphasis should also be placed on Directors & Officers Liability insurance.
The principal aim of Directors and Officers insurance is to protect the personal assets of directors and officers. The policy also responds to meet the potentially crippling defence costs in the event of an allegation of wrongful management, in addition to judgements and settlements. Directors and Officers exposure exists across the spectrum; from large financial institutions, small family-run SMEs with a local customer base, sports organisations with a large list of members, to charitable organisations.
The quality of directors and officers decision making is constantly being tested by new and evolving threats, such as cyber-attacks, and resulting changes in regulation, for example GDPR. The role of the board is critical in identifying and managing cyber exposure so as to limit its effect on the business. Directors are becoming increasingly concerned that in the event of a cyber breach, some blame will inevitably lie at their door. Increased scrutiny on management is likely to focus on whether the board approved the right level of funding for IT security, applied the correct rigour in analysing cyber exposure and whether the right level of insurance cover was purchased.
The cyber threat is an evolving one and is clearly imposing additional responsibilities on directors, but what remains unclear is what the resulting ramifications will be for company executives. The financial impact of a data breach can be huge; as such directors should be concerned about both their fiduciary obligation to the company and its shareholders, as well as directors’ own personal assets which are at risk in the event of a claim for alleged wrongful management. In a situation where a cyber incident has a material effect on a company’s shareholder value, or indeed reputational value, then litigation will almost certainly ensue, particularly if there is a lapse on the part of the board to insure the cyber exposure.
Given the potential personal exposure for directors and management of companies, the purchase of a broad Directors & Officers Liability policy, in conjunction with a Cyber Liability policy, should be strongly considered when having the discussion about preparation for GDPR from an insurance perspective. Cases have been brought against executives of various US companies following cyber hacks, for example Target and Home Depot. It will be interesting to see what follows for directors of Irish and European organisations following the introduction of GDPR in May 2018. Expensive data breaches are now a fact of corporate life, and it seems inevitable that cyber-related D&O litigation will follow, as both aggrieved shareholders and customers seek retribution and regulators start to use their enhanced powers.
For more information relating to this article, please contact Caoimhe.gormley@aig.com or Michelle.boland@aig.com