Insurers should brace themselves for an increase in insurance claims for data breaches since the General Data Protection Regulation (GDPR) came into force on 25 May 2018. Those were the conclusions of the International Underwriting Association (IUA) in a recent research paper.
Several reasons were identified by the IUA for the likely increase in data breach claims. These include the GDPR’s changes to the right to compensation for data breaches, lower thresholds for notification of breaches and increased defence costs. Another factor is the introduction of group litigation into data protection law, which allows consumer bodies to represent multiple individuals in mass claims. The IUA said “The introduction of the GDPR means people are likely to be more aware of their rights, are legally entitled to notification of any data breaches and have greater scope for seeking redress. Each of these factors could lead to a greater number of claims".
The IUA has stated that it expects increased numbers of claims to be made under general liability policies, where data protection cover is commonly provided as an extension. Others have predicted that there will be a significant impact on D&O and cyber insurance, both in terms of uptake of policies and claims. In relation to D&O, the GDPR provides significant scope for civil claims and regulatory action against directors and officers. In relation to cyber, many cyber policies cover the cost of regulatory investigations, which is a key reason why demand for cyber cover is set to increase.
Insurers are advised to check carefully whether their existing policy limits and sub-limits are appropriate for the post-GDPR environment. They are also advised to review references to data protection legislation in their policy wordings, examine current policy triggers, and review their existing risk management assessments (for example in relation to the extent of their clients’ GDPR compliance). The IUA has said “it is important that insurers understand how their liability products are likely to perform in the new data protection landscape". The IUA hopes that its report will serve as a catalyst for its development of new wordings for the GDPR regime.
These issues are of course in addition to insurers’ own obligations to comply with the GDPR. These are significant because insurers must collect and access a large amount of personal information, meaning that data processing lies at the heart of insurance business. The potential penalties for breach of the GDPR are serious. Aside from reputational damage, those in breach are liable to pay a fine of up to €20m or 4% of global turnover, whichever is higher.