In less than a year on 25 May 2018, a profound reform of European data protection will come into force. General Data Protection Regulation (GDPR) will establish one law across 28 European states, increasing requirements on organisations that collect personal data, and giving greater protection and rights to individuals to whom the data belongs.
Put simply, organisations need to only request personal data that is relevant and retain it for only as long as is necessary, ensure and demonstrate data records are securely protected, be able to prove that consent was given where required, show where the data's going and what it's being used for.
The GDPR also impacts data controllers and processors outside the EU whose activities relate to the offering of goods or services to EU data subjects. Many will need to appoint an EU representative and a Data Protection Officer in some scenarios.
With GDPR increasing firm’s obligations and exposing them to much higher penalties in the event of a cyber breach, it is important that businesses reassess their exposures and, if needed, seek increased protection.
With Ransomware also now acknowledged by businesses as a serious modern day threat, cyber threats are now being taken far more seriously, and cyber insurance forms a vital part of the response.
GPDR will introduce fines of up to 4% of global turnover, or 20 million Euros (whichever is higher), bringing EU legislation in line with the US, where similar rules have exposed businesses suffering data breaches to significant costs. These can take a variety of forms, from notification expenses and legal costs, through to costly regulatory investigations and follow-on liability claims.
Under the new regulations, organisations will be under a duty to report data breaches that pose a high risk to individuals to supervisory authorities and possibly the individuals themselves, within 72 hours. These requirements will emphasise accountability at board level, increasing senior management’s awareness of breaches and their impact. These reporting requirements along with significant fines could lead to an increased need for cyber protection and risk mitigation strategies.
Insureds’ next steps
Getting ready for GDPR and not putting off preparations is essential. Here are some important next steps organisations should consider when it comes to cyber security:
- Firms should have already begun to analyse the extent to which GDPR impacts their operations. This should include reviewing and, if necessary, amending existing data protection policies. For example, in order to comply with the new notification requirements, insureds should be reviewing existing protocols to ensure that data breaches can be detected and managed properly.
- Developing incident response plans is also critical. These should map out key roles to prevent confusion in the event of a data breach.
- If they haven’t already, insureds also need to dust off their cyber policies (or get one if they do not have cover) and check their level of protection. If a policy was taken out before GDPR rules were published in April 2016, it is important to check whether the policy will still respond as it should in light of GDPR legislation. If a policy only protects against security incidents, for example, cover for wider data protection issues like mishandling data or technology failures should also be considered.
Miller is positioned to support and assist with specialist cyber policies that will provide:
- Privacy liability – class actions and suits that are filed against an organisation following the unauthorised disclosure of private and confidential information pertaining to an organisation or individual (including the firm’s own employees).
- Regulatory defence and civil penalties – providing defence and reimbursement for mandatory fines and penalties that follow regulatory action due to a privacy breach (where insurable by law).
- Breach response costs – costs for legal services, forensics, public relations, credit file monitoring, identity theft education, advertising and postage and compliance with government regulatory notification requirements.
- Business income loss – reimbursement of net income that would have been earned had computer systems not been suspended or data assets lost.
- Data asset restoration/forensics – costs to recover, reinstate and recreate intangible assets destroyed during an attack. Forensic auditors, investigators and loss adjusters could all be hired to determine what information was stolen and who it belonged to.
- Reputational harm – income loss, the increased costs of working or PR expenses directly caused by a data breach.
For more information on Miller’s cyber security coverage, please don't hesitate to get in touch.