The General Data Protection Regulation (“GDPR”) goes effective tomorrow. Companies are considering the consequences and attempting to determine whether they are compliant or how to get there, whatever “compliant” ultimately will be determined to mean as time progresses under GDPR. In considering the consequences of failure to comply, companies are, or should, also be thinking about whether they can transfer risk, including to insurance, and whether their current insurance policies will do the trick. Many companies now have cyber insurance, but cannot presume that their current cyber policy will protect against GDPR exposures. So, as we welcome in GDPR, the internal corporate conversation should include discussion of whether existing cyber policies are enough, or what needs to be done to fortify insurance protection against unknown future GDPR financial exposures.
Things to consider now:
- Is it sufficient for companies to follow the status quo during the policy purchase process? Should additional people be added to the team involved in deciding what coverage to purchase and what information needs to be given to the insurer when the policy is being negotiated? When buying a policy that the company hopes will protect against GDPR violation risks, statements made that are not carefully scrutinized and considered could gut coverage when it is needed later. In other words, think hard before you agree to submit an insurance application that seeks “yes” or “no” responses with respect to questions about your GDPR “compliance.”
- Companies can face large financial exposure for GDPR “fines or penalties.” Are they covered under currently worded cyber policies? The answer is, maybe not if your policy, e.g., covers regulatory proceedings addressing only failures to protect private information, as opposed to GDPR proceedings that may address broader noncompliant data collection and use practices. Additionally, coverage for GDPR fines or penalties may be more restricted under the laws of many European countries than the laws of certain states in the United States. Your insurer may agree to choice of law language in your policy that will increase the chances of coverage.
- What about exposures for failures to store or manage data in a GDPR compliant manner? Current cyber policies cover amounts spent by companies when private information has been breached or improperly accessed. But not all policies cover claims or lawsuits against your company by individuals claiming failures to maintain information in a GDPR-compliant manner, if the failure to maintain does not result in a data breach. Policy language should be carefully scrutinized to make sure it will kick in when needed.
- Insurance policy limits may seem adequate for U.S.-based cyber exposures, but not for GDPR. A cyber policy is not worth much if not enough coverage was purchased and GDPR may require a new analysis of how “much” coverage, in terms of dollars, a company needs, particularly for GDPR fines/penalties.
- Just because companies see the letters GDPR in their policies does not automatically mean they are protected. Insurers have been adding “GDPR” language or endorsements to their policies, but not in all instances providing actual GDPR-related protection. This language also should be carefully reviewed to determine its scope and value.
- Check vendor policies! Companies can’t just scrutinize their own coverage and presume they are safe. They may need their vendors or trading partners to protect them in case of GDPR compliance failures—check their policies too.
May 25, 2018, is a big day for global data protection. It’s a good time to think broadly about whether your company is protected from this new data protection statutory scheme. Without putting insurance into the mix of issues to be immediately considered, a company could miss a key resource to help if/when GDPR becomes a local problem.