Exclusively from Foa & Son
The European Union’s new General Data Protection Regulation (GDPR) took effect on May 25th. This sweeping new regulation covers both EU citizens and EU based employees even if they are not EU citizens. U.S. companies that do business with EU citizens or have employees there are subject to the regulation, even if they have no physical presence in the EU.
There has been a lot of publicity about this new regulation, so just a brief synopsis of key points:
- The regulation substantially broadens the definition of what type of data is considered personal information, and imposes new restrictions on how it may be used, and how it must be secured.
- Individuals have new rights to control their own information. They can learn whether, where, and for what purpose their personal information is being used. They must also consent to how it’s being used, and for it to be transferred to others. They also have a “right to be forgotten”, requesting that their personal information be permanently erased.
- If data is breached, notification must be made within 72 hours of the time a company becomes aware of the breach. Unlawful or accidental destruction of information is also considered a breach.
- Data owners and data processors are equally liable under GDPR. If you use a third party service vendor and they are not in compliance with GDPR, neither are you.
- For the most serious violations of the regulation, fines can run as high as the greater of 4% of worldwide revenue or €20 million. For certain lesser offenses, fines can run up to 2% or €10 million.
The size of the potential fines alone, coupled with the many new ways the regulation can be violated, require attention. There is also another question still unanswered; will cyber insurance policies cover any costs arising from violations of the GDPR?
Cyber policies are unusual insurance policies in that many of them (and all the better ones) cover regulatory fines and penalties. Most insurance policies don’t do this, and many professional liability and E&O type policies will specifically exclude these. A good cyber policy not only won’t exclude them, it will have a specific insuring agreement providing coverage for fines and penalties. Even such things as Payment Card Industry (PCI) fines, which aren’t regulatory but industry imposed, can be covered.
So why not GDPR fines? Domestic cyber policies in the U.S. follow U.S. (and State) law, which tends to be focused on and geared toward data breaches and attendant costs. Unlike in the U.S., the basic focus of this new EU regulation is on the individual’s right to privacy. Breaches can trigger penalties, of course, but there is a whole raft of other potential violations in the GDPR that can result in penalties even absent any breach or loss of data. Lacking an actual identifiable breach event, how would coverage be triggered under a cyber policy? And would GDPR penalties for non-breach events be considered a covered fine, or would it be more like a punitive damage award? Punitive damages are intended to punish a wrongdoer, and in many jurisdictions or circumstances even here in the U.S. insurance policies are not allowed to indemnify the policyholder by covering punitive damages.
Cyber policies will have to evolve to reflect new exposures created by the GDPR. Even before getting to the question of insurability of GDPR fines, policy coverage triggers are going to have to be broadened to reflect these new exposures.
We are keeping an eye on this for you. In the meantime, if you have any exposure to the EU, you need to get up to speed on this new regulation. You should also be asking any technology vendors you use if they are in compliance with the regulation, too.