Recent decades have seen the emergence of a number of policy forms which respond to increased legal and regulatory burdens imposed on companies and individuals by English and EU law. For example, directors' and officers' (D&O) insurance has evolved to cover many of the increased risks which directors and executives face in today’s regulatory climate. Diverse other policy forms, from employment practices liability to pollution liability, have developed in response to greater legal and regulatory burdens being placed on insureds. Perhaps the most recent significant development is in the field of cyber insurance, given the increased focus of governments and legislatures on data privacy and security. In this article, Ffion Flockhart and Steven Hadwin consider the impact of proposed EU legislation and the potential growth opportunities in the cyber market.
The General Data Protection Regulation (the Regulation) is a proposed EU regulation which would impose a robust, harmonised data protection law across the EU. The Regulation will replace the existing Data Protection Directive (95/46) and will be directly applicable in all EU member states.
While the final text of the Regulation is yet to be agreed, some of the most significant proposals which impose greater burdens on companies are as follows:
- Companies based in the EU, as well as non-EU companies that carry out certain types of business in the EU, will need to report all personal data breaches to the appropriate data protection authority without undue delay, and where feasible within 24 hours.
- Persons affected by the data breach will be able to claim compensation from the company affected, if the company is in breach of the Regulation.
- Companies that breach their obligations under the Regulation could be fined as much as €1 million or 2 per cent of their global annual turnover, whichever is higher.
The Regulation would represent a significant increase in the data protection obligations imposed on companies in England & Wales.
At present, the final terms of the Regulation, including the details of the obligations to be placed on organisations, the sanctions for non-compliance and the likely timeframe for implementation, are only propositions and remain to be finally determined. Plans to agree the form and content of the Regulation before the European Parliamentary elections in May 2014 now appear unrealistic and 2017 is effectively the earliest year in which the Regulation could come into in force.
The timetable for implementation could slip further given that a number of Member States are still expressing reservations about the Regulation’s content – with UK Home Secretary Theresa May recently commenting that the Regulation’s proposals “do not reflect the realities of the modern, interconnected world” and the UK Information Commissioner’s Office having commented that the potential penalties imposed on companies may be too harsh.
Whatever the final form of the Regulation, it appears likely that it will act as a catalyst for growth of the cyber insurance industry. The implementation of more stringent data protection laws in the United States, many of which contain compulsory notification regimes and mechanisms by which affected individuals can bring claims against the organisations which process their personal data, has seen the US cyber insurance industry develop into a $1 billion industry, with around 30 insurers competing for business. The potential for growth in Europe is therefore clear.
Insurers will need to act quickly to ensure their cyber product offerings match market demand following the implementation of the Regulation. Equally, insureds will need to ensure that any cyber cover which they obtain matches the risk landscape they face.
Particular developments in policy form which are likely when the Regulation comes into force include the following:
- There will be a general shift away from the current focus in European cyber insurance policy wordings on first-party losses. At present, insureds tend to be more concerned about cover for first-party risks such as loss arising from business interruption following a cyber attack than potential third-party liabilities. The implementation of the Regulation looks set to change this, as insureds will need to consider the much larger potential liabilities for non-compliance with their legal obligations and the potential third-party claims in relation to non-compliance.
- The shift towards greater emphasis on cover for third-party liabilities will lead to some elements of existing cyber insurance policies becoming obsolete. Time deductibles, for example, will not be a suitable mechanism in a policy which is primarily designed to cover liabilities to third parties rather than first-party loss.
- Insureds will most likely be required to give a wider range of pre-contractual warranties that they have taken steps to comply with data protection laws including the Regulation, given the potential consequences of breach. Insurers are also likely to carry out more stringent due diligence on potential insureds for this reason.
- Ancillary services provided under a cyber insurance policy, such as legal and forensic support in the event of a data breach, will also grow in significance as responding swiftly to breaches will become a crucial step avoiding or minimising liability under the Regulation. Appropriate legal support will, for example, optimise the possibility that timely and accurate notifications are made to all relevant data protection authorities.
Each of these issues will require careful consideration from a policy drafting and negotiation perspective.
There are also a number of legal considerations which may affect the scope of cover provided by cyber insurance policies following the implementation of the Regulation. For example, while it will most likely be legally possible to insure liabilities arising out of claims brought by individuals who have been affected by a data breach, the legal position remains unclear on the insurability of fines issued by data protection authorities pursuant to the Regulation.
At present, penetration of cyber insurance products in Europe remains low, with only around 1 per cent of potential insureds taking out cyber cover. Market research has shown that this reluctance to purchase cyber cover often arises out of a perception that many of the benefits provided by a cyber policy are offered under more conventional covers such as property damage and business interruption or general liability policies. However, the increased risk of third party liability pursuant to the Regulation looks set to change this perception.
For insurers, this represents a valuable opportunity to grow their cyber business. Insurers should act now to ensure that the products they offer accurately reflect the risks which their customers face, including under the Regulation.
Equally, insureds should begin to consider how the Regulation will affect the risks and potential liabilities they face and should also consider whether any cyber products they have obtained to date would cover these risks appropriately.