Are GDPR non-compliance fines insurable or not?
While technological evolution enables companies to gather and manage huge volumes of information about their existing or potential customers, personal data have become a new, but very important class of assets in many businesses. Coincidentally, with GDPR, EU regulation concerning the personal data protection not only got extended scope and stronger provisions, but also provides for significantly increased enforcement powers to regulators. Shortly put, although data protection rules existed also before the GDPR, fines for a data breach were of considerable smaller values and enforcement actions infrequent.
Aon and the law firm DLA Piper have jointly released a report entitled "The price of data security - A guide to the insurability of GDPR fines across Europe". "GDPR fines can reach up to EUR 20 million, or up to 4% of a group's annual global turnover if higher," points out the report's introductory pages, adding that the "scale of these fines has understandably generated concern in boardrooms."
That being said, insurance coverage for the GDPR related financial risks that organizations face would be more than interesting and desirable. Typical cyber insurance policies - underlines the report -, only insure fines when "insurable by law", and stipulate that the insurability of fines or penalties shall be determined by the "laws of any applicable jurisdiction that most favors coverage for such monetary fines or penalties."
The Aon and DLA Piper report presents an overview of the European countries from the insurability and data regulatory tightness, as well as a series of case studies revealing the complexity that the international cyber scenarios may reach.
The current status: there is not a full superposition between the potential "GDPR risk" exposure and most of the insurance policies which are often triggered by privacy or security incidents; moreover, GDPR violations may be identified also without an actual privacy or security incident occurring (non-compliance, for example). In fact, one of the main questions arising is if GDPR non-compliance fines are insurable or not.
The answer varies from country to country, as legal rules governing insurability are often derived from public policy principles. Also, in international cases, it depends very much on the jurisdiction of choice, especially that not always parties' choice will prevail on other legal considerations.
According to the Aon and DLA Piper report, among the 30 European countries under consideration, only in Finland non-GDPR fines are insurable; in 19 countries they are non-insurable while in another 10 countries the situation is unclear.
GDPR fines are insurable in Finland and Norway, while in 20 countries such fines are clearly uninsurable. On the other hand, legal costs, other costs and liabilities following a data breach are insurable almost everywhere, except for Bulgaria and Poland, where the report's authors have market the current situation as unclear. Only 4 countries have a data regulatory environment which can be defined as "moderate": Bulgaria, Croatia, Lithuania and Malta.
In fact, in many countries where the GDPR fines were marked as uninsurable, insurance contracts covering administrative or criminal fines are not expressly prohibited, meaning that also GDPR fines may be theoretically covered by an insurance contracts. Yet, there is a high risk that contracts insuring against those fines will be unenforceable if "it is considered that the parties' intention was to avoid administrative or criminal sanctions. It is a condition of insurability that the loss was caused by circumstances beyond the control of the insured."
In conclusion, at least for the time being, insurance industry's potential contribution to managing GDPR related risks is somehow limited, especially when it comes about the non-compliance issues. On the other hand, GDPR enforcement is only in its infancy, leaving space for future developments. Lawyers will certainly have a word to say.
Last hour: At the latest AIRMIC Conference in Liverpool, Bermuda was mentioned by several sources as a potential extra-European choice for those looking for a jurisdiction where a policy might be used to pay out if a multinational were to be fined under GDPR by a European regulator. Singapore or Latin American countries as Mexico and Colombia are also possible destinations for placing this type of risk. Yet, although Bermuda is already "in use" as an underwriting jurisdiction for insuring the punitive fines issued by US state regulators, there is no guarantee that the experience may be replicated also in the European GDPR fines' case. As emphasized at the AIRMIC Conference, the GDPR legislation is too new to allow other than speculations over the real dimensions of the fines and any outcome of the legal procedures.
Access here the full "The price of data security - A guide to the insurability of GDPR fines across Europe" report by Aon and DLA Piper