THOMSON REUTERS GDPR is here. Is your cyberinsurance ready? By James E. Scheuermann, Esq., Lucas J. Tanglen, Esq., and Reymond E. Yammine, Esq., K&L Gates AUGUST 3, 2018 The European Union’s General Data Protection Regulation, Violations of GDPR provisions can give rise to both private causes which took effect May 25, is designed to protect individual of action and public enforcement actions. Individuals can seek privacy. Cyberinsurance policies are predominantly — though not to enforce their GDPR rights by lodging a complaint with the exclusively — focused on insuring losses arising from cybersecurity appropriate supervisory authority or fjling a lawsuit for damages failures. in the courts of a relevant member state. As U.S. corporations readied themselves for GDPR compliance, In terms of public enforcement, each member state has the some reached out to their brokers and coverage counsel to authority to enforce the GDPR, including by imposing fjnes, determine the extent to which their current cyberinsurance policies through its designated supervisory authority. would provide coverage for potential GDPR-related liabilities. Depending on the nature and severity of a violation, GDPR Even though the GDPR has now taken effect, it is not too late for fjnes could reach up to 20 million euros or 4 percent of a corporate policyholders to review their cyberpolicy terms in light company’s total worldwide annual revenue, whichever is higher. of the new exposures created by the GDPR. This article provides a EU member states may also enforce their own more specifjc brief overview of new liabilities created by the GDPR and explores data-related rules. some of the key cyberinsurance questions that it raises. GDPR INSURANCE CONSIDERATIONS GDPR OVERVIEW Because there is no industry “standard” cyberinsurance policy Broadly speaking, the GDPR is a far-reaching regulation form, we will not attempt to provide a comprehensive analysis intended for “the protection of natural persons with regard to the of policy wording that may be relevant to GDPR liabilities. processing of personal data.” 1 Its broad defjnition of “processing” Rather, the following discussion is a starting point for assessing encompasses many aspects of the usage of personal data, your company’s cyberinsurance in light of the GDPR. including its collection, storage, alteration, use and transmission. Does the policy cover GDPR claims that do not involve an actual breach of ‘personal data’? The GDPR imposes requirements related to the “processing” The GDPR imposes obligations on individuals of personal data. It also recognizes individual rights related to and organizations that may have no presence personal data, including with respect to data integrity. in the EU but process data (or monitor behavior) Cyberpolicies commonly provide coverage with respect to actual of individuals in EU nations. (or even potential) breaches of “personal data.” However, the GDPR can impose liability for a broad range of conduct relating to “personal data” independent of a breach involving such data. The statute has a broad geographical reach: It imposes obligations on individuals and organizations that may have no presence in For example, a cyberpolicy might cover certain “privacy perils,” the EU but nonetheless process data (or monitor behavior) of defjned to include the unauthorized release of private information, individuals in EU nations. identity theft and the failure to protect private information. The GDPR recognizes various individual rights including, among If a policyholder is found liable under the GDPR for storing others, rights to access one’s personal data, to rectify inaccurate “personal data” beyond the permissible storage period, the insurer personal data and thereby ensure the integrity of data, and to might argue that the violation was not a covered “privacy peril.” erase personal data (the “right to be forgotten”). While policyholders certainly may assert strong arguments that It also imposes certain requirements to promptly notify the such “breach-centric” coverages apply to a variety of GDPR relevant supervisory authority in the event of a personal data claims, for some policyholders it may be worthwhile to pursue an breach and, where the breach is likely to result in a high risk to endorsement that defjnes the insured risk to more clearly cover rights and freedoms, to notify the affected individuals. Thomson Reuters is a commercial publisher of content that is general and educational in nature, may not refmect all recent legal developments and may not apply to the specifjc facts and circumstances of individual transactions and cases. Users should consult with qualifjed legal counsel before acting on any information published by Thomson Reuters online or in print. Thomson Reuters, its affjliates and their editorial staff are not a law fjrm, do not represent or advise clients in any matter and are not bound by the professional responsibilities and duties of a legal practitioner. Nothing in this publication should be construed as legal advice or creating an attorney-client relationship. The views expressed in this publication by any contributor are not necessarily those of the publisher.
Recommend
More recommend