By now, the EU’s General Data Protection Regulation (GDPR) has gone into effect.  This update is not intended to provide a “deep dive” into the regulatory regime instituted by GDPR.  For our purposes, it is sufficient to note that GDPR bestows protections that expand beyond the privacy breach notice requirements familiar to companies in the United States.  Among other things, GDPR places restrictions on the collection, use and management of data, requires that companies be able to map the use of personal data, and enables individuals to access, correct, and delete their personal information.

Moreover, GDPR reaches beyond the borders of the EU; imposing requirements on organizations that operate primarily outside of the EU so long as they collect or process the data of an individual residing, even temporarily, in the EU. Among the most worrying elements of GDPR’s regulatory scheme are the sanctions for violations.  For first-time and non-intentional violators, the penalty is a warning and the correction of the non-compliance.  The upper limit for penalties is €20 million or 4% of annual world-wide turnover for the previous year, whichever is greater.  It is unknown how aggressive regulators will be in assessing fines, but it is dangerous to discount entirely the risk of substantial penalties.

In the scramble to comply with GDPR’s introduction of substantial new obligations, there is a risk that some enterprises may not have sufficiently considered how their current cyber-insurance program will respond to GDPR’s regulatory framework.  But with the sizeable penalties introduced by GDPR, it is prudent to ask whether existing cyber-insurance policies cover these new exposures.  Fortunately, there are many elements of GDPR that dovetail with leading cyber-insurance policy forms (e.g., many cyber policies cover regulatory fines and penalties and have world-wide scope).  But cyber-insurance policies are far from standardized and different insurers and competing forms offer widely different terms.   Seemingly minor differences in policy language can significantly affect the scope of coverage.  Many cyber-insurers have issued GDPR endorsements, but the efficacy of these endorsements is all over the map.

Only by reviewing their cyber-insurance policies and GDPR endorsements can policyholders assess just how effectively their coverage responds to their particular risks and needs.  Because of the diversity of cyber-insurance policy language, it is not feasible to provide a “one-size fits all” list of terms that policyholders should look for to ensure that they are adequately protected for GDPR-related exposures.  There are, however, some key topics around which GDPR coverage-related issues are likely to coalesce:

• Privacy Violations vs. Privacy Breaches: The privacy insuring agreements of many cyber-policies apply solely to privacy breaches – to the unauthorized access to or disclosure of personal information.  Insuring agreements that apply solely to breaches may not provide coverage for violations of privacy laws or regulations that do not concern privacy breaches.  For example, the improper handling or storage of data or the failure to provide an individual with an accurate record of the processing of personal information may not be covered if an insuring agreement applies only to privacy breaches.
•  Personal Data: The scope of the terms “personal data” or “sensitive personal data” as used in GDPR is broader than the analogous term “personally identifiable information” as used in domestic laws such as Gramm-Leach-Blilely, HIPAA, or HITECH.  It is important to confirm that personally identifiable information or similar terms are defined expansively enough to capture the range of personal data protected under GDPR.
•  Scope and amount of regulatory coverage: It is not unusual for cyber-insurance policies to provide regulatory coverage only for fines and penalties resulting from privacy breaches or from violations of privacy breach notification laws and regulations.  Optimally, regulatory coverage should apply to fines and penalties assessed for any violation of a privacy law or regulation and not simply to violations of breach and breach notice laws or regulations.  In addition, regulatory coverage is often written with lower sub-limits of liability than other insuring agreements.  Given the significant fines and penalties that can be assessed for privacy violations under GDPR, time and experience will tell if it is necessary to seek higher regulatory limits.
• Liability Coverage: Some older forms of cyber-insurance policies did not include liability coverage for claims brought by third-parties.  Such policy forms covered notification costs for privacy breaches and regulatory fines and penalties but did not cover claims for damages.  There may be an uptick in the number of private claims commenced in the aftermath of GDPR implementation.  With the advent of GDPR, it is prudent to confirm whether cyber-insurance programs include liability coverage for privacy claims.
•  Identity of the privacy regulator: It is now routine for cyber-insurance policies to include foreign or international regulators in the definition of the relevant regulatory entities.  But if foreign privacy regulators are not included within the relevant definition, it is imperative that the policy be amended to include foreign regulatory authorities.  Some endorsements may include a reference to domestic or foreign “authorized data protection authorities.”
• Covered fines or penalties: Different jurisdictions have widely differing rules for the insurability of fines and penalties.  Given the significance of fines and penalties to the GDPR enforcement regime, it is in the interest of policyholders to secure policy language providing that fines and penalties are covered to the fullest extent permissible under the law of the most favorable jurisdiction with a connection to the claim or matter.  Most favorable venue wording is preferable to language providing that fines or penalties will be covered to the extent permissible or some similar formulation.

It is important to keep in mind that many of the costs associated with the obligations imposed by GDPR may not be covered under any cyber-insurance policy.  Such costs and expenses include: the cost of bringing systems into compliance and maintaining operational compliance, the cost of hiring a Data Protection Officer, the cost of data mapping in order to create a record of processing activities in response to a request from a data subject, or the cost of complying with a data subject’s request for erasure.  Insurers are likely to assert that such costs of complying with regulatory requirements are costs of doing business.

GDPR creates a significant array of new regulatory obligations and exposures for enterprises involved in the collection, handling, and processing of data.  It is impossible to predict all the consequences of the regulation.  Given the uncertainties and the significant expense and effort required to come into compliance with GDPR, it is easy to pay short shrift to the implications of GDPR on cyber-insurance programs. But failing to pay heed to the impact of GDPR on existing insurance programs may result in unexpected gaps in coverage.

Daniel J. Struck is an experienced policyholder attorney that advocates on behalf of corporate and individual insurance policyholders throughout the United States in contested claims, and counsels clients in complex insurance advisory matters.

This Blog/Web Site is made available by Culhane Meadows, PLLC and its attorneys for educational purposes only and to provide general information about the law—not to provide you specific legal advice. By using this Blog/Web Site you understand that there is no attorney client relationship between you and any Culhane Meadows attorney. This Blog/Web Site should not be used or relied upon as a substitute for competent legal advice from a licensed professional attorney in your jurisdiction. Also, please note that although this Blog/Web Site is made available on the Internet, Culhane Meadows attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.