A business faced with new obligations is also faced with new risks. This is certainly true of the General Data Protection Regulation (GDPR), which implements new rights and responsibilities as well as a significantly higher penalty for the most serious data breaches.
Prudent businesses will always look to insurance as a means of protecting what’s important. And when it comes to data protection, ‘cyber insurance’ can be especially useful in helping you cover the costs and resources necessary to respond to a data breach effectively. Doubtless, the GDPR will cause many businesses to consider cyber insurance for the first time. We’ve also seen some evidence of insurers jumping on the GDPR bandwagon and using the arrival of the new data protection framework as a selling point for their policies.
For many organisations, cyber insurance can be a useful tool for reducing many of the data protection risks they are faced with. But it cannot cover everything, not least it currently looks highly doubtful that businesses will be able to recoup ICO fines from their insurers.
So how can insurance help you with the GDPR? This guide looks at some of the myths, benefits and limitations of insurance to help you find out.
What are your biggest GDPR risks?
The penalties linked to the GDPR have attracted plenty of commentary. But the UK’s Information Commissioner, Elizabeth Denham has been careful to dispel the suggestion that businesses are automatically going to be hit with huge fines for GDPR breaches. The ability to impose financial penalties is just one of the powers available to the ICO, suitable for serious breaches and multiple transgressions. So when considering the risks associated with GDPR non-compliance, organisations shouldn’t just focus on fines, but on a range of other possible consequences, too. These include the following:
- Costs and resources required to respond to ICO interventions and investigations.
- Business interruption – especially if the company is required to stop operating while an investigation is ongoing.
- Civil claims for compensation brought by individuals whose rights and freedoms have been impacted by a GDPR breach.
- Damage to your reputation. When an ICO issues a sanction, this information is in the public domain.
How can insurance help to reduce GDPR compliance risks?
Directly relevant to your GDPR requirements, cyber insurance can provide a useful level of protection in the following areas:
- Event management: this includes the costs associated with specialist data recovery and restoration.
- Systems failure: in the event of an internal system failure, outage or service interruption, insurance can help cover the costs to get back online.
- Response service: some insurers can provide emergency access to breach response specialists – useful if you do not have this expertise in-house.
- Breach reporting: costs associated with obtaining professional help with ICO reports and investigation responses.
Civil claims: coverage for legal representation as well as compensation and costs for claims brought against you by individuals affected by a breach.
The limitations of insurance for managing GDPR risks
Insurance cannot shield you against all GDPR-related liabilities. Significant limitations include the following:
Many policies include coverage for regulatory fines, so far as those fines are “recoverable at law”. This is where the difficulties lie. After all, fines are meant to be a deterrent, and if businesses are able to make an insurance claim to avoid paying up, this deterrent effect is lost.
Lawmakers recognise this, which is why there is a long-established “illegality defence” that prevents companies and individuals from using insurance to avoid the consequences of their illegal actions. As of yet, there hasn’t been a case before the UK courts to decide on whether a data regulator fine can be lawfully covered by insurance. But we already know from other areas of law (e.g. criminal penalties and fines issued by the Competition & Markets Authority) that fines of a “penal” nature (i.e. designed to punish the wrongdoer) are not recoverable.
As we’ve already seen, the ICO does not fine organisations for trivial reasons. Where financial penalties are considered appropriate, it tends to be in cases of blatant and serious failures, or where, despite warnings, the business in question has failed to mend its ways. In other words, in most cases an ICO fine would probably be viewed as “penal” in nature. So even if your policy appears to cover regulatory fines, just be aware that it might later be ruled as not “recoverable at law” – making this area of coverage pretty much useless.
Many policies include coverage designed to address damaged reputation as a result of a data breach or other cyber incident. So let’s say your business is targeted by a malware attack. The personal data of your customers is compromised, and to make matters worse, you fail to notify the ICO and the individuals affected. Following the subsequent ICO investigation and sanction, you lose close to 20% of your customer base.
Your insurance policy might include coverage for advertising, communications and even expert public relations advice, but it won’t compensate you for lost revenue as a result of the breach.