General Data Protection Regulation fines: are they insurable?
With less than ten months until the General Data Protection Regulation (GDPR) becomes enforceable by regulators across Europe, the discussion and debate around its impact on organisations across the continent picks up pace.
One of the main talking points is the new fines regime that accompanies the Regulation. With lesser breaches attracting a maximum fine of 10 million euros, or 2% of annual global turnover, and the most serious breaches attracting a fine of up to 20 million euros, or 4% of annual global turnover, it is likely to prove costly to ill-prepared organisations.
For the insurance industry the possibility of large fines poses a tricky but fundamental question.
In recent blogs, the Information Commissioner (ICO), Elizabeth Denham, counters many of the myths that have spread regarding GDPR, particularly regarding fines. She states that concentrating on fines misses the point of the GDPR and that the ICO is “committed to guiding, advising and educating organisations…preferring the carrot to the stick.”
For the insurance industry, however, the possibility of large fines poses a tricky but fundamental question that many companies are asking: are these fines insurable?
Despite the ICO having had the power to levy fines under existing legislation for some time, relatively little helpful guidance is available on the question of insurability. The answer may depend on the language and detail of the implementing legislation. We are, however, able to summarise some of the key high-level principles that we believe are likely to be applicable.
At the heart of the matter is whether the fine would be considered criminal or quasi criminal in nature by a court of law. If it would, then as a matter of public policy courts are unlikely to allow any such penal sanctions to be indemnified by another. To do so would be to allow the intended deterrent effect of the fines to be defeated or circumvented.
Cyber insurance policy can still be very beneficial to an organisation dealing with a breach of the Regulation.
There may be limited circumstances where an insured company might be allowed to be indemnified for fines or penalties arising from unlawful acts of strict liability, although for such sums to be indemnifiable the company’s actions would need to have been entirely free of fault or moral turpitude.
In practice, therefore, it is probably safest at present to work on the assumption that, in most cases, fines are unlikely to be insurable.
Guidance for the insurance industry will evolve as the implementing legislation comes into force and new case law is established. In the meantime, while there remains a degree of opaqueness about this issue, it is clear that a specialist cyber insurance policy can still be very beneficial to an organisation dealing with a breach of the Regulation. For example, a cyber insurance policy can (subject as ever to policy terms and conditions):
1. Pay the costs associated with the ICO’s investigation.
2. Through deploying the insurers’ breach response teams, pay the costs incurred in complying with the onerous notification requirements in all jurisdictions.
3. Pay the legal costs and compensation claims brought against an insured organisation due to a breach of the GDPR.
4. Pay the costs incurred to mitigate the impact on an organisation’s reputation following a breach of the Regulation.
Please note that the purpose of this article is to provide a summary of and our thoughts on aspects of the General Data Protection Regulation. It does not contain a full analysis of the law nor does it constitute a legal opinion or advice by Lockton Companies LLP on the law discussed. The contents of this article should not be relied upon and you must take specific legal advice on any matter that relates to this. Lockton Companies LLP accepts no responsibility for loss occasioned to any person acting or refraining from acting as a result of the material contained in this article. No part of this article may be used, reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, reading or otherwise without the prior permission of Lockton Companies LLP.