GDPR (General Data Protection Regulation) is undoubtedly the hot topic in insurance at the moment and with its introduction in May imminent this is unlikely to change. While the majority of businesses are preparing for GDPR in various ways, few have looked at cyber insurance as a way of helping them to meet their obligations. In this bulletin Gallagher discuss how cyber insurance can do this.
What is GDPR?
GDPR is a new EU regulation which updates outdated privacy and data protection laws for the digital age and which affects any businesses trading within Europe, including the UK. Among the changes are: the right to be forgotten, to access any data held about you as well as harsher penalties brought by the Information Commissioners’ Office (ICO) for organisations who fail to properly protect data. Enforcement starts 25 May, 2018 (for further information visit the website of the Information Commissioner’s Office.)
In the instance that a data breach occurs, organisations will need to notify the Information Commissioners’ Office within 72 hours, and the individuals who are potentially affected, while at the same time identifying and rectifying the source and extent of the breach. Even failing to do this can incur a fine, though at a lower tier than the 4% maximum discussed later, yet this obligation could easily be met by the Breach Response line included in our cyber insurance (which also includes communication and notification costs). Those affected are also free to bring litigation against your organisation, opening you up to further financial penalties.
Even pre-GDPR cases like this are already occurring, with one supermarket, who in spite of incurring more than £2 million in breach response costs, having been ruled vicariously liable for breaches of privacy and confidence as well as data protection laws. The High Court ruled that the supermarket must pay compensation for the upset and distress caused by this breach. As the case affected both former and current workers, the cost of damages will be as extensive as the reputational damage incurred.
Under the GDPR, businesses may be subject to fines of up to €20milion or 4% of annual global turnover – whichever is greater for non-compliance. When a similar fine was applied to one business in 2016 by the ICO, this was paid from their cyber insurance but this doesn’t necessarily mean GDPR fines will be. In fact, they are more likely to fall under the category of statutory penalties or criminal sanctions – making them unrecoverable by insurers. These fines are complicated areas, and until they are rolled out it will be impossible to affirm whether they can be covered within the scope of a cyber policy; however these policies are still a vital tool for absorbing costs caused by other areas of complying with, defending or appealing the consequences of a breach.
Taken all together, the fines and time committed to dealing with a cyber breach can be an expensive process. A cyber policy can outsource these issues, giving you access to specialist knowledge which could help you to avert a PR crisis and a significant fine, as well as getting the business back up and running. GDPR isn’t going away, but a cyber policy can help ensure that your business keeps trading with minimal financial and reputational damage.
Our cyber insurance offers a 24-hour hotline response, speeding up the important step of reporting the breach to the ICO. Pre-breach offerings are available to help you prepare for the eventuality of a breach occurring. Post-event we can help you with disaster recovery costs, pay for forensic investigations into the cause of the breach and help to mitigate the damage by engaging PR specialists and legal advisors. We offer specialist knowledge and delivery of a service that will help you mitigate the problems surrounding cyber breaches with the right focus. In short, it could solve a problem that you are unlikely to tackle on your own.
Repairing and reporting a breach can be a complex process. A PR team may be needed to navigate the reputational damage and an IT team to attempt to recover and/or restore the data. All of which will need finding, negotiating and implementing – a task you could definitely do without when time is against you.