December 15, 2018

December 14, 2018

Subscribe to Latest Legal News and Analysis

December 13, 2018

Subscribe to Latest Legal News and Analysis

December 12, 2018

Subscribe to Latest Legal News and Analysis

Your Cyber Insurance Policy May Not Cover GDPR Fines and Liabilities

You may be paying for cyber insurance that will not cover the most significant cyber risks faced by your business.

Recent studies call into question whether a company can insure against the unprecedented huge fines for violating the complex and vague EU privacy law, the General Data Protection Regulation (GDPR), or whether such insurance would cover liabilities arising from the new class action suits available under the GDPR. Companies with international exposure should check their cyber insurance policies to determine coverage of EU fines.

According to an analysis conducted this summer by Aon, GDPR fines were found to be insurable in only two countries – Norway and Finland – out of the 30 European countries surveyed. In fact, in 20 of the 30 jurisdictions, including the UK, France, Spain and Italy, GDPR fines would specifically NOT be insurable. The other eight jurisdictions were less clear, and may depend on whether a GDPR fine is classified as civil or criminal.

Cyber insurer Marsh released a new report this month finding, “The question of insurability of GDPR fines and penalties in EU countries seems to depend largely on EU member state laws and ensuing judicial determinations; however, in the US, domicile may influence the ability to recoup fines and penalties.” Marsh observes that, in the U.S. market, most cyber policies are triggered by cyber incidents and cover legal advice, forensics and data subject notifications, and these policies were not written to “provide coverage for fines and penalties pertaining to organizational privacy practices and compliance” without an breach trigger.

The Marsh report writers observe, “Some carriers provide coverage for GDPR fines only on a case-by-case basis; others do so more broadly. Similarly, some require interested insureds to fill out additional underwriting questions or provide other supplementary information. The scope of coverage also varies, and negotiations regarding additional exclusion waivers or policy rewording may be required to ensure the policy responds as intended.” If you are uncertain which category your cyber insurance falls into, you should review the policy now before you need to use it.

This questions is not academic, as the GDPR provides for fines that could reach the greater of 20 million Euro or 4% of your gross annual global revenue. Further, as discussed in this recent article in Business Law Today (also written by Ted Claypoole), the GDPR includes unprecedented extraterritorial enforcement provisions, some of which are specifically designed to catch and penalize U.S. companies. The article also explains how all of the most significant rules of litigation are tilted against data holding companies where an EU regulator or EU data subject sues. The field is slanted so that there is almost no way to defend yourself.

Cyber insurance may be vital in such a situation. Womble Bond Dickinson will assist its clients by reviewing cyber insurance policies upon request and/or by speaking to your company’s insurer on your behalf.

This week, a spokeswoman for the British Information Commissioner’s Office refused to commit to whether their fines could be covered by insurance, and she admonished a Law360 reporter for even asking the question, saying “There is nothing in the GDPR which either permits or prohibits insurance cover against fines. A focus on insurance rather misses the point, and organizations should be looking to recognize the benefits of good information rights practice to their efficiency, reputation and competitive edge.”

Copyright © 2018 Womble Bond Dickinson (US) LLP All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Theodore Claypoole, Intellectual Property Attorney, Womble Carlyle, private sector lawyer, data breach legal counsel, software development law
Senior Partner

As a Partner of the Firm’s Intellectual Property Practice Group, Ted leads the firm’s IP Transaction Team, as well as data breach incident response teams in the public and private sectors. Ted addressed information security risk management, and cross-border data transfer issue, including those involving the European Union and the Data Protection Safe Harbor. He also negotiates and prepares business process outsourcing, distribution, branding, software development, hosted application and electronic commerce agreements for all types of companies.

...

704-331-4910