Ready or not, GDPR, the European Union’s General Data Protection Regulation, has arrived. And many are not ready: as recently as April 2018 it was reported that only 5% of likely affected companies were prepared to meet the stringent GDPR standards — which means they may have GDPR losses.
Insurance coverage is expected to be important in dealing with these losses. While considerations of GDPR liability often focus on the potentially large penalties, the losses take other forms as well, and raise important insurance considerations.
Not All GDPR Losses Are Fines
One example of a potentially large loss imposed by GDPR rules is the cost of notifying persons whose data you hold when there is a suspicion of a breach. While some states in the U.S. require notification to be sent when there is a reasonable suspicion due to a breach that consumer data may have been compromised, GDPR goes further. And, of course, GDPR applies to everyone in the EU. Just measuring the extent of required notification could prove cumbersome.
But from a substantive standpoint notification in Europe is not necessarily different than notification in the U.S. A cyber policy may be intended to cover exactly such notification costs. Policyholders should take note of what policy language they have and what constitutes a covered notification. Even where there is limiting language, coverage may still be available and policyholders should take care to demonstrate that they are complying with coverage requirements.
Similar GDPR-mandated costs that are not fines may include appointing a “controller” of personal data, forming a breach response team, conducting forensic analyses, and taking remedial action when needed to contain a breach. Coverage should not be overlooked just because they are performed in compliance with GDPR.
Losses From Penalties and Fines
Of course, the potentially draconian fines that GDPR may impose on a company cannot be ignored. Some cyber insurance policies specifically provide coverage for “fines and penalties.” That policy language should make coverage for GDPR fines and penalties relatively straightforward.
Other cyber policies may not contain specific language, but may include broad liability coverage of all amounts owed to third parties, including government entities. Coverage for instances of “unauthorized access” to data can be broad and focused on the means of access rather than the form of loss. Other coverage grants that may provide applicable coverage include regulatory liability coverage and network security liability coverage.
Many of these fines could be incurred based on mere negligence and mistake. Depending on the conduct underlying a violation, different coverage may apply and, in the absence of exclusionary language, provide coverage for a resulting fine.
Other Policy Language That May Provide Coverage
Potentially Exclusionary Language
Exclusions intended for spammers that defeat coverage for unlawful collection of data or communications could be used inappropriately to deny coverage for alleged GDPR violations. Policyholders should be prepared to explain why these exclusions should not apply to GDPR claims.
Insurance companies can also be expected to point to the laws of European countries that specifically bar insurance against fines and penalties. These arguments may successfully defeat some, but not all, coverage obligations. For example, a U.S.-based company relying on an insurance policy delivered in the U.S. and subject to U.S. law may have arguments against the application of European laws to a coverage dispute.
Lastly, policyholders should not forget to review other lines of coverage. In many cases, depending on the allegations and facts of the alleged violation, E&O and D&O liability policies may provide coverage.