The GDPR, the European Union's Global Data Protection Regulation (GDPR), took effect on May 25. As my colleagues have written, the regulations apply to many US companies that hold data on EU customers, vendors, or employees. Businesses are still scrambling to comply with the regulation, including getting consent from EU contacts to continue to send marketing materials. There are significant questions about how the regulations will be enforced, but one fact is clearly worrisome: under GDPR's graduated penalty scheme, companies found in violation may be hit with fines of up to the greater of 4% of annual global revenue or 20 million Euros. Fines at that level could destroy many businesses.
Therefore, in addition to taking steps to comply with GDPR, companies should be assessing their insurance program to determine whether their current policies are likely to provide coverage in the event of a GDPR enforcement action or suit.
First-party coverage. A key feature of almost every cyber-insurance policy is coverage for the cost of investigating a data breach, and providing notification to those impacted. These are generally referred to as "first-party" costs—costs incurred by the company itself, rather than costs levied by a court or a regulator. One hitch with GDPR first-party coverage may be that under GDPR notification may be required even if the company has not made a determination that there was a breach, but only suspects that one may have occurred. Some cyber policies do not cover notification costs unless a determination has been made that notification is absolutely necessary. That policy language could come into conflict with GDPR.
Liability coverage. The bigger question may be about coverage for those staggering fines. Many cyber-insurance policies provide some coverage for "fines and penalties" levied by governmental authorities under the liability or "third-party" coverage section. This coverage is usually triggered by a breach ("unauthorized access" in insurance-speak). The coverage is aimed at US laws (state or federal) on keeping consumer data (particularly health care data) secure. Coverage sometimes extends to liability for failure to comply with the company's own privacy policy (essentially, coverage for unfair trade practices). Therefore, so long as the policy covers risks globally, rather than being restricted to the US, there should be coverage at least in concept for similar GDPR liability risks. As with most things, however, the devil will be in the details.
Mishandling of data. One potential problem is that GDPR fines may be assessed even if there was no breach into the company's systems, but simply mishandling of data. A policy with fines/penalties coverage limited to a breach may not respond if the cause of the liability was not a breach but was data mishandling in some other form (such as failure to delete or change personal data). It would be preferable to have coverage for a "privacy violation," defined broadly to include any violation of a privacy-related law, that applies to fines/penalties as well as actual damages.
"Spam" coverage. Many cyber policies contain exclusions for "unlawful collection of data" or "unlawful communication," such as violations of the Telephone Consumer Protection Act (TCPA) due to text-spamming. Perhaps the most widely-shared risk under the GDPR is for exactly that kind of behavior (which is why you were bombarded with "opt-in" requests from customers and vendors to remain on mailing lists right before the deadline). Exclusions for spamming could pose problems for GDPR coverage.
"Insurability." Another problem for coverage of GDPR actions will come from vaguely-worded exclusions, such as exclusions for fines not "insurable by law" or "uninsurable by public policy." Those provisions are designed to comply with laws in some US states that losses that are punitive in nature (rather than compensatory) cannot be insured against - an offshoot of the idea being that a company should not be able to use insurance to protect itself against damages for intentional acts. (State law varies on this point). The exclusion should generally not apply to defense costs, but only to the fines/penalties themselves.
It now appears that many EU members will take the position that GDPR fines/penalties are not insurable under local law. Whether this will necessarily impact US-based companies with cyber policies interpreted under US state law remains to be seen (despite the pronouncements of some commentators). EU regulators may have significant difficulties in collecting GDPR fines from US companies under international law; that difficulty may extend also to insurance companies attempting to enforce an EU member's view on insurability in the context of a cyber policy governed by US state law. To avoid such disputes policyholders may demand that such language be removed, or that it be amended to clarify that insurability will be determined under applicable US state law.
Conclusion. Every business that is required to comply with GDPR should carefully review its insurance program—including cyber, D&O and other coverages—with these issues in mind and try to patch any holes that appear, and then plan to re-assess on a regular basis as the GDPR begins to be enforced, providing better information about the risks to US companies.
