The European General Data Protection Regulation is approved and poised to bring new responsibilities that insurers must prepare for. On the cards for the longest time, the European General Data Protection Regulation has finally obtained member state approval and the clock has officially started counting down to its 2018 implementation. There are definite positives to it, some negatives and whole lot of grey area in between but one thing is for sure, it will be a game changer for cyber insurance...
The GDPR broadly addresses two key areas, data privacy and control and security. The insurance market can definitely help with the risk transfer elements associated with the first, but can only advise companies about the responsibility they themselves must take for the latter.
On the whole, the GDPR requirements around data privacy are positive, and the key stipulation is the 72-hour notification period. All businesses that suffer a data breach will be required to notify their relevant regulator within 72 hours.
In the UK, this would be the Information Commissioners’ Office. The regulator will want to know what happened, how many records were affected, the level of security protecting the data, and what the company has done to resolve the breach. If the regulator deems that the breach has the potential to cause a ‘significant risk of harm’, it will order the business to notify all affected parties.
The 72-hour notice period to the regulator is a positive step, while short, it should still allow sufficient time to understand the potential impact of a breach thereby avoiding scaremongering among the public via ill-advised knee-jerk responses.
There are, however, two massive grey areas here. Who is the relevant regulator and what qualifies as ‘significant risk of harm’? Is the regulator the one that presides over the business’s head office territory or the one which presides over the territory of the individuals whose data was breached and, if this crosses multiple territories, can the business itself decide who to notify to?
This is a critical question because not all regulators are created equally and if the past behaviour of the various European Union country regulators is anything to go by, some are considerably more tolerant to data breaches than others.
Where the sharp end of this happens is the financial penalty – and a business can potentially be fined twice. If it fails to notify the regulator in time, it can be fined up to 2% of the global turnover of its parent group. If it is considered to have failed to give adequate and proportionate protection to the data that has been breached, it can be handed a fine of up to 4% of the global turnover of its parent company.
The ‘up to’ is key here as if a business had a choice it would opt for the country regulator that does not shoot for the upper end of that range.
The GPDR has provided some welcome clarity around security however, and encryption is the name of the game. If a business can prove that the data that has been breached was encrypted, then the regulator is likely not to require it to notify affected parties and the breach can remain below the radar.
The reality of the GDPR will be borne out in courts across Europe as the first cases start to be heard and precedents created. Businesses will become increasingly aware of their responsibilities and liabilities as the government starts to push out communications.
This is an opportunity for the insurance industry to be ahead of the curve, to support businesses through the implementation phase and to ensure they have adequate levels of protection when the time comes. When similar regulation came into effect across the US, it changed the cyber liability playing field, making it the estimated $2-3bn market it is. Across the EU, cyber insurance estimates are less than 10% of the US figures but never have we been in a better position to put our best foot forward by providing the right support for customers when they need it.
This article first appeared on Post online.