GDPR: Insurability of GDPR Fines and Penalties
Three months after enactment of the GDPR, a primary question for many stakeholders is how the various costs of compliance and non-compliance will interplay with organizations’ insurance policies. This is because the following key elements with regard to fines and penalties are yet to be ascertained:
- Size of fines and penalties.
- Its variance according to local law.
- It is yet untested in court.
- Resonance with board members.
Under the two-tier structure, the most serious GDPR infringements could bring fines as high as €20 million or 4% of global revenue, whichever is greater. For other breaches, authorities could impose fines of up to €10 million or 2% of the total worldwide annual turnover from the preceding financial year, whichever is higher.
A common question from insureds is: “Will our insurance policy respond in the event that we are faced with a fine or penalty?” The answer is likely to depend on the circumstances, including the policy wording and applicable governing law.
Key factors in answering the insurability question will likely include:
- Specifics of insurance contracts: Which policies might provide coverage? Do they expressly provide or preclude coverage? Choice of law provision in the policy.
- Decisions by courts in relevant jurisdictions, once the issue enters the legal system.
- Nature of the fine or penalty – civil or criminal – and how egregious the non-compliance.
Any consideration of insurability must begin with the insurance contract as the foundation for coverage and recovery outcomes. Organizations should work with their advisors to understand how their policies might respond and, where possible, seek to add policy wording that provides the best chance at recovery in the event of GDPR non-compliance.
Because the ability to recover the costs for such fines will vary greatly depending upon these factors, we believe that the insurability of a fine for non-compliance with the GDPR is more of a grey area than a black or white certainty, with varying degrees of uncertainty depending on the geography and insurers.
In Asia, several carriers are offering policies with coverage for insurable GDPR fines and penalties. Reputed legal counsel foresees no prohibitions to insurability of GDPR fines and penalties across most major Asian markets. Insurers offering such coverage have signaled that they anticipate paying related claims if legally permissible. Insureds should, of course, seek specific legal advice on insurability of GDPR fines and penalties within the relevant jurisdiction in Asia.
US & Canada
Despite the uncertainty surrounding GDPR fines and penalties from a business risk standpoint, the predicted response of insurers in the US and Canada regarding cyber policies are generally positive. Several leading insurers for US and Canadian companies are adding this coverage for no additional premium. The question of insurability also shows considerable progression in both markets over the past 12 to 18 months, with an increasing number anticipating that they will pay claims for GDPR fines and penalties.
For organizations based in EU countries, it is generally possible to obtain a policy that contains an insuring clause for regulatory fines and penalties, such as for fines that may be levied in the event of non-compliance with the GDPR. However, organizations should be mindful that while a policy may contain such an insuring clause, this is no guarantee that the policy will respond.
There are potential impediments to recovery of fines and penalties, and there are instances of variance. For example, certain factors will need to be taken into account by the supervisory authority, including the potential impact of exclusions for deliberate or intentional acts.
It is important to work closely with your insurance advisors and check your insurance contract language in an effort to optimize coverage. As part of the process, you should also consider, with your legal counsel as appropriate, the laws of local member states and where the policy originated.
Marsh's GDPR Assessment and Coverage Solutions
Marsh worked for several years preceding the implementation of GDPR — with considerable success in many markets — to draft wording around the world to help our clients secure optimal coverage for all costs related to GDPR, including for fines and penalties where permitted by law. As part of our commitment to meeting client needs, we have in many markets developed proprietary GDPR coverage forms, which in our view offer broader, more responsive coverage for GDPR-related risks and losses than off-the-shelf or carrier wordings.
Our proprietary assessment and coverage solutions encompass the broad scope of risks related to GDPR:
- Data breach, both within the EU and beyond.
- Financial consequences of cyber events that trigger GDPR issues.
These best-in-class tools and forms can integrate seamlessly and efficiently into clients’ overall cyber risk management programs, providing solutions to mitigate the severity of potential losses, and complementing the roles of other cybersecurity or risk transfer products that address cyberattack frequency.
India Personal Data Protection Bill
Justice B N Srikrishna’s Committee report on the proposed data protection law in India was submitted recently. The report details the implications of the bill on data handling and processing practices by companies operating in India along with various government departments.
The bill, once it becomes law, will have a great impact on the way businesses operate in India, as it makes individual consent the centerpiece of data sharing, and emphasise user rights. It also envisages greater accountability on data principals (fiduciaries) or all entities which collect data and determine purpose and means of data processing.
One of the key recommendations of the bill is imposing fines and penalties. Penalties imposed will be the higher of:
- 2-4% of company’s worldwide turnover; or
- Fines between INR 5 crore and INR 15 crore.
Our initial take on the draft is that it is in line with the recently implemented data privacy law in Europe, EU GDPR, in terms of rights of data principals, areas of accountability for data principals and processers, and penalties for non-compliance.