Ahead of the implementation of the General Data Protection Regulations (GDPR) across the EU in May 2018, a number of countries have recently announced plans to bring their data protection laws more in line with Europe. This article discusses this global trend and the cyber insurance implications.
- Trend being driven by global movement of data
- As seen in the US, mandatory notification requirements could drive demand for cyber insurance
- Changes should prompt global organisations to review their aggregate limits of their global cover
Asia
Singapore recently announced plans to beef up its cyber security rules, which would require critical infrastructure operators, including banks, telecoms and energy companies, to report breaches as soon as they are discovered.
South Korea, the Philippines and Indonesia already require data handlers to notify the regulator and effected data owners of a breach of personal identifiable data.
China recently tightened its data protection laws with the Cybersecurity Law requiring ‘network operators to notify data breaches to the regulator and the public. Japan does not currently have mandatory notification requirements, however it is in discussions with the European Commission regarding the convergence of their data protection regimes, and the intention to sign an agreement on regulatory equivalence in 2018.
Australia
These aren’t the only countries in Asia Pacific to introduce mandatory breach notification rules. In February 2017, the Australian Federal Parliament passed laws that would create a mandatory notification regime from February 22, 2018. Once implemented the regime will require organisations to notify data subjects and the Office of the Australian Information Commissioner (OAIC) in the event of a data breach.
Under the new law (the Privacy Amendment Notifiable Data Breaches Act 2017) organisations subject to the Privacy Act 1988 will be required to notify a breach where the loss or unauthorised disclosure of data could lead to physical, psychological, emotional, and financial harm. Like Canada, the move brings Australia’s data protection law more in line with those of the EU under the GDPR.
Conscious of the extraterritorial nature of the GDPR (it applies to any company processing data on EU citizens) the Office of the Australian Information Commissioner (OAIC) published GDPR guidance in May. The guidance encourages Australian businesses that process data on EU citizens to apply the higher standards required by the GDPR to all their Australian operations.
Canada
Canada is the latest country to announce its intension to introduce mandatory breach notification requirements. In September the country published its Breach of Security Safeguards Regulations, which activate mandatory reporting requirements under the Personal Information Protection and Electronic Documents Act.
Much like the GDPR, the new regulations will require organisations to notify the regulator and affected individuals in cases of a breach of personal identifiable data. Following a breach, a company would need to carry out a risk assessment, before submitting a report to the regulator and potentially contacting the data owners.
Miller's Cyber risks expertise
Regulatory equivalence
Alignment of data protection regimes makes sense. Many organisations transfer personal data between countries, but regulators are wary of the practice and want to see adequate protections are in place. Europe, for example, does allow data to be transferred out of the EU, but only to countries that can guarantee an adequate level of protection.
The cross border flow of data appears to have been a factor in Canada’s decision to implement notification requirements. When Canada aligned its data protection rules with those of the EU, it highlighted the need to facilitate trade and mitigate compliance costs for Canadian companies.
Insurance driver
The alignment of data protection laws, coupled with high profile data breaches, is likely to see more countries introduce mandatory data breach notification requirements in the future.
This will be a significant driver for liability and the cost of a data breach for companies operating in these markets or processing data on their citizens. In the US, where mandatory notification requirements already exist, the cost of data breaches has increased significantly, helping drive demand for cyber insurance.
Data breaches are increasingly taking on an international dimension, and organisations could soon face mandatory notification requirements in multiple countries relating to one cyber security incident. This increased exposure will need to be reflected in cyber insurance policies, which will require appropriate limits and multinational data response services.
Here to help
If you would like to discuss how cyber risk mitigation and risk transfer solutions are helping businesses adapt to the changing global data breach landscape, please contact Miller’s cyber insurance specialist.
