Is cyber insurance the solution to GDPR liability?
The enforcement of GDPR is imminent (25 May 2018). Companies have already spent millions of dollars, euros and pounds reinforcing their security and adapting their processes to ensure compliance.
But while confidence in GDPR compliance is growing, we suggested in the previous blog this confidence is unfounded: there will be breaches and there will be non-compliance fines levied.
The fines themselves may be severe, but they could easily be exceeded by separate civil damages awarded to victim data subjects. GDPR (article 82) gives customers “the right to receive compensation from the controller or processor for the damage suffered,” whether that damage is material or non-material, to be decided by the courts.
That’s in Europe. Other countries will use their own courts, and it is worth considering the litigious nature of some countries.
Consider Facebook and Cambridge Analytica. Asked if Facebook would be in breach of GDPR (had it been in operation at the time), David Flint, Senior Partner at the MacRoberts law firm, told this author, “GDPR would apply to any processing of data carried out by Cambridge Analytica, even if only of US nationals…It is difficult to see how Facebook would not be considered as a Data Controller (or perhaps Controller in Common with Cambridge Analytica) given that it collected the data, and/or permitted CA to do so, provided the platform APIs which allowed the data collection and mining; [and] carried out automatic mass profiling.”
In the U.S., Facebook is now facing a huge class-action suit led by the law firm of Hagens Berman. Had this breach occurred with the GDPR in place, Facebook would not only be hit with a potential fine of up to 4% of their global turnover (roughly $1.6 billion USD based on their annual turnover for 2017 of $40.7 billion), but also any court-awarded civil damages. Hagens Berman has already represented millions of consumers in class-action cases, and has recovered more than $200 billion in victories and settlements.
To make matters worse, if the EU data protection regulators declare a firm to be in breach of the law, it is hard to see how any court would not also rule in favor of the ‘victims’.
Management consulting firm Oliver Wyman estimates that FTSE 100 companies might be facing up to £5 billion per year in fines, and that data breaches from 2012 to 2017 could have cost up to £25 billion had the GDPR been active in those years. Consult Hyperion predicts, in the first three years of GDPR, that financial institutions could face fines totaling €4.46 billion. To these figures, we must add an unknown, but potentially large addition for civil damage awards.
With such large sums at stake, we can expect firms to do anything and everything possible to avoid paying. The European regulators will not find collection easy; nor for that matter will they wish to be so severe that, coupled with civil damages, they drive companies out of business.
But there is a solution that might satisfy all sides: GDPR-specific cyber insurance. We concluded in the previous blog that companies cannot guarantee the mitigation of GDPR risk. It is obvious that they can neither ignore nor simply accept it – so the only remaining option is to transfer GDPR financial risk to the insurance industry.
The insurance industry is already seeing a growing demand for cyber insurance driven by GDPR. We’re almost certain to see this increase post-GDPR. The question is, how will GDPR-specific insurance interact with the regulations, and what impact will it have on business? The purpose of the GDPR is to protect personal data (hence the stringent requirements and harsh penalties), but it is certainly not designed to cripple or destroy the businesses operating within it. Governments are likely to welcome companies insuring themselves against breaches: insurance will minimize the financial impact of non-compliance, while still allowing the EU to collect its fines and consumers to be compensated.
It could be argued that transferring the financial risk to the insurance industry might weaken companies’ resolve to implement strong security. This is unlikely. No insurance company will be willing to underwrite poor security, and will insist that all clients are as secure, prepared and compliant as possible.
A realistic and desirable outcome is that this will give rise to a symbiotic relationship between the GDPR and cyber insurance. It is even possible, over time, that GDPR liability insurance will become a legal requirement for doing business in the EU – just as motor insurance and employer’s liability insurance are legal requirements.
If this happens, and even if insurance simply becomes a solution of choice, the insurance industry will begin to drive the security industry. Poor security will be uninsurable. Strong security will attract lower premiums – but ultimately, the definition of strong security will be the insurance industry’s definition.
GDPR is already influencing corporate organization structures with its insistence, in certain circumstances, on the employment of a Data Protection Officer. Insurance could have a greater effect. To protect their interests, cyber insurance companies may wish to dictate what an organization uses in terms of security products. This leaves security officers at risk of being relegated to management and maintenance roles, merely implementing decisions that have been made externally by the insurance company.
Businesses have already made the best preparation they can for the new regulation. What happens next is down to how the GDPR is enforced. If enforcement is light and civil damages rare, then we may simply continue as we are.
But if enforcement is strong and civil damages common, then insurance may become a legal or de facto solution – and if that happens we may find the future cyber security industry will be driven by the cyber insurance industry.