Insurers seek clarity on coverage for GDPR fines

Out-Law News | 25 Jan 2019 | 5:17 pm | 3 min. read

Insurers have called for clarity from global policymakers about the extent to which they can provide coverage for regulatory fines and penalties, such as those issued for breaches of the EU's General Data Protection Regulation (GDPR).

The Global Federation of Insurance Associations (GFIA) has written to the Organisation for Economic Cooperation and Development (OECD) to offer its "proactive and meaningful participation" in the OECD's new cyber insurance project, which is being led by the organisation's Insurance and Private Pensions Committee (IPPC).

In GFIA's view, the growing cyber insurance market is "an important resiliency tool with many ancillary benefits". However, there are a number of challenges to market growth, which include educational and awareness gaps, the continually evolving risk landscape and a need for more data, it said.

The OECD noted in a previous consultation that there was "international confusion" about whether insurers could provide coverage for fines and penalties. GFIA said that OECD work to clarify the issue "would benefit consumer and insurer contract certainty".

"IPPC members may want to consider reviewing the broader cybersecurity landscape to review how policy and regulation can support open market penetration through greater cyber risk awareness, data sharing and information sharing," GFIA said in a statement.

"As to the scope of the project, GFIA is of the view that beginning with an understanding of the importance of open, growing cyber insurance markets will lead to a balanced project focused on addressing the challenges to market growth, which is preferable to outcomes on regulatory strategies and best practices," it said.

The OECD has already indicated its intention to conduct several consultations throughout the project in order to better understand the implications and impact of legislation and regulation on the cyber security market. GFIA has welcomed this desire to consult, and proposed a number of questions that the OECD could ask of its members in order to establish the effect that regulatory or supervisory requirements have had on the domestic market.

GDPR is the EU's main data protection law, which came into force on 25 May 2018. Businesses can be fined up to €20 million or 4% of their global annual turnover, whichever is higher, for the most serious breaches of the new regime – significantly higher than the maximum penalties which were previously applicable, e.g. £500,000 in the UK.

Whether or not businesses can obtain insurance cover for regulatory fines generally depends on the local law. In the UK, for example, cover cannot generally be obtained for fines imposed for criminal or quasi-criminal conduct for public policy reasons.

A spokesperson for the UK Information Commissioner's Office (ICO) told last year that there was "nothing in the GDPR which either permits or prohibits" insurance coverage for regulatory fines.

"We are aware that there is insurance available against cyber risks and data breaches, but we are not aware whether insurance is available to provide cover against fines which may be issued by the ICO for breaches of the GDPR," the spokesperson said. "However, our view is that a focus on insurance rather misses the point, and organisations should be looking to recognise the benefits of good information rights practice to efficiency, reputation and competitive edge."

"The insurability of fines and penalties has remained a grey area for some time," said insurance litigation expert Chamika Hand of Pinsent Masons, the law firm behind "Whilst some regulatory bodies, such as the FCA, have made clear that their penalties cannot be covered by insurance, this is not the case for the ICO. This has led to insurers being forced to deal with this issue on a case by case basis, which is unsatisfactory for both the insured and the insurer. Any assistance that can be provided by policymakers on this issue will greatly assist the market in being able to assess risk and set premiums at appropriate levels."

"The scope of potential cyber exposure continues to grow, including following the Morrison Supermarkets Court of Appeal decision in October last year. As indicated by the Court of Appeal, insurance will be needed to ameliorate such cyber risks to companies, and insurers would be wise to factor this in when seeking guidance from policymakers."

Cyber security expert Ian Birdsey of Pinsent Masons said that it was likely the courts would consider the insurability of ICO fines issued under the GDPR in a cyber context "in the next 12-18 months".

"In a cyber security context, the focus of the commentary to date is somewhat misplaced," he said. "It focuses wrongly on the 2010 Court of Appeal decision in Safeway Stores Ltd v Twigger which, due to its facts, is unlikely to be analogous to any cyber-focused monetary penalty notice issued by the ICO in the event of a finding that an organisation has infringed articles 5 and/or 32 of the GDPR and is liable to pay the attendant ICO fine."

"There is a divergence in the cyber insurance market, with a number of insurance markets actively looking to cover such fines if they are insurable at law. The practical reality is that, for a number of companies, any ICO fine will likely reduce the company's corresponding IT security budget if such fines are not insurable," he said.

Chamika Hand will be speaking about the impact of the Morrison Supermarkets Court of Appeal decision, among other topics, at a Pinsent Masons event in London on 31 January 2019.