Daniel J. Healy of Anderson Kill's cyber insurance recovery practice sorts out the complex coverage issues raised by the EU's General Data Protection Regulation.
GDPR, the European Union’s General Data Protection Regulation, has arrived with much ado. So far, however, there has been little discussion about which insurance coverage will apply and what losses insurance will cover.
The new regulation protects European Union data subjects' right to privacy and protection of their personal data, imposing stiff penalties for violations. While considerations of GDPR liability often focus on the potentially large penalties, the liability takes other forms as well. The types of liabilities faced, and the reasons for the liabilities, raise important insurance considerations.
As recently as April 2018, it was reported that only 5 percent of likely affected companies were prepared to meet the stringent GDPR standards. “The British Standards Institution (BSI) surveyed 1,800 firms and while 97 percent agreed the regulation would affect them, only 5 percent were fully prepared and 33 percent were halfway to complying.” These statistics indicate that despite best efforts to prepare – including the many opt-in cookie pop-ups companies are using on their websites – there likely will be losses from violations and alleged violations of GDPR.
Read more: New GDPR Law Triggers New Risks - And a Panoply of Coverage Issues