Cyber security breaches are occurring with increasing regularity. In the UK, British Gas was recently forced to contact 2,200 customers warning them that their personal data had been posted online in an unexplained data leak. Prior to that, TalkTalk suffered a “significant and sustained” cyber attack which put the personal details of around four million customers at risk. Around the same time, Marks & Spencer suffered a breach of personal data on its website.
Insurers and brokers ought to take a keen interest in these issues for two reasons. First, because the rise to prominence of cyber issues is likely to lead to greatly increased demand for cyber insurance products. And second, because insurers and brokers themselves are constantly acting as “data controllers” for the purposes of the Data Protection Act 1998 as they collect enormous amounts of personal data about their clients, particularly at the underwriting and claims stages of their business. The penalties for getting it wrong can be severe. Two of the largest ever fines for data breaches were imposed by the Financial Conduct Authority on insurance businesses, with respective fines of £2.25 million and £3 million imposed for mishandling personal data. In this regard, the recent European Court of Justice (ECJ) preliminary ruling of Weltimmo v Hungarian Data Protection Authority1 should particularly interest insurers doing business in the EU.
In Weltimmo, the European Court of Justice (ECJ) ruled that if a company offers services in the native language of a country and has representatives in that country, it is accountable to that country’s national data protection agency even though it is not actually headquartered in that country. Weltimmo were a Slovakia-based property advertising website who operated in Hungary. Weltimmo breached Hungarian data protection laws by passing user information to debt collection agencies, causing the authorities to impose a fine on Weltimmo. The crux of the case is the extension of the definition of “establishment” under Article 4(1)(a) of the EU Data Protection Directive 95/46, which is now no longer limited to a company’s country of registration. Instead, if that company has what the court called “stable arrangements” in another EU country, that other country’s data protection laws will apply. Many UK insurers and brokers have operations within other EU countries, and vice versa, such as representatives registered in that country, bank accounts and offices. According to the ECJ, these are all potentially “stable arrangements” which mean that those insurers or brokers may also be subject to local data protection regulations.
The ECJ’s approach in Weltimmo is aligned with that of the European “passporting” regime, under which an insurer or broker which has authorisation to carry on insurance business in one EEA member state is able to carry on insurance business in other member states pursuant to the EU principles of freedom of services and freedom of establishment. Under this regime, an insurer which is registered in one member state will have an “establishment” in another member state if it has a stable and lasting presence in that other member state.
Insurers are likely to benefit from the rise of ever increasing impact of data protection issues, which extend worldwide beyond this landmark EU case. In particular, the cyber insurance market is set to expand considerably over the next few years. It is predicted to triple in size by 2020 and according to the Association of British Insurers, cyber insurance products will become “as common a purchase for UK businesses as property insurance” by 2025. In writing these and other risks, insurers must themselves be very careful to comply with data protection regulations when they collect and handle customer data. After Weltimmo, they must be aware that they may become subject to the data protection regime of other EU countries. The legal, commercial and reputational cost of failure is too high to be ignored.