GDPR and Cyber Liability Insurance
Most general liability policies don’t deal with cyber perils or are non-specific when it comes to damage from cyber-attacks. It’s important to identify the level of risk an organization is faced with online and mitigate that risk accordingly.
Ian Thorton-Trump, Head of Cyber Security for AmTrust International
Every employer faces the reality that they may be the target of a network security or privacy breach. A cybersecurity or privacy breach can jeopardize credibility and cost small businesses thousands of dollars (or more) in damages. A data breach can impact an organization in many ways including: decline in customer service, lost client and proprietary data, business interruption, loss of reputation, etc. Plus, add in the costs of potential GDPR violation fines and the costs from a data breach could become an existential threat to continued business operations.
According to NetDiligence’s Cyber Claims Study
, the total cost of cyber and privacy-related claims topped $114 million in 2016. Personally identifiable information was the most reported data breach, with credit and payment card information being one of the most frequently stolen pieces of data. Maintaining cyber liability insurance will help keep companies operational after an attack.
The GDPR regulations spotlight the importance of privacy. This privacy extends to the systems which collect, store, process and transmit data. Cyber privacy can include both personally identifying information or non-identifying information which when aggregated can be used to identify - like a user’s behavior on a website and cookie information.
The GDPR requires that an organization notify data protection regulators and affected individuals about any data breach which is likely to result in a privacy risk to affected individuals. Notification significantly increases the costs of responding to a data breach, as well as the chances that affected individuals will make claims against the controller. The GDPR empowers data subjects to seek restitution in the form of class action lawsuits.
An important component of the GDPR requires organizations to announce data breaches publically, within 72 hours of the internal knowledge of the breach. An example of this requirement was recently displayed by the disclosure of the Marriott- Starwood data breach
of over 500 million guest r ecords dating back to 2014. The data breach was discovered internally by Marriott in late November 2018. The company released information about the breach within 72 hours after the breach’s discovery. It has yet to be determined if the company will also be given a large fine under the GDPR. Cyber liability insurance
augments and supports the business’s efforts to recover in the event of a cyber-attack. It will provide access to expert resources and financial support through investigation, notification, recovery and post-recovery activates related to a data breach event.
Definition of Terms in GDPR
The GDPR has a variety of terms that might not be familiar to you, but they are important to know as data privacy laws continue to evolve in the U.S.
Personal Identifiable Information (PII)
The GDPR explicitly directs organizations to protect personal identifiable information (PII) of all “data subjects” of the European Union and United Kingdom. Personal data means information relating to an identified or identifiable natural person. A person can be identified from information such as an ID number, location data, online identifier (like an IP or MAC address) or other specific factors. The protection of the PII data (and penalties associated with data breach of it) are rights held by the “data subject” and are enforceable inside and outside of the European Union and United Kingdom. The GDPR requires evidence of the protection measures a business has in place as PII data is collected, processed, stored or transmitted.
The law also requires the specific consent of “data subjects” for a business to collect, process, store or transmit their data.
The GDPR defines PII data as any information relating to a “data subject.” A data subject is “an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
The GDPR further defines the data subject as a resident of the European Union and United Kingdom. In some circumstances, such as a Canadian living in the European Union or United Kingdom, the protections of the GDPR would be extended to that data subject’s PII information. Additionally, it’s important to understand that the GDPR’s protections extend the rights of European Union and United Kingdom residents outside the region.
Right to Access
Right to access gives the data subject indisputable rights (as in they can’t be waived) to the PII data held by an enterprise. If a data subject requests access to their data, the law requires a response from the enterprise that includes all PII data for the subject. Additionally, the data must be transferred to the subject in an electronic format. Right to be forgotten, or right of erasure, allows data subjects to demand that enterprises delete their PII, stop transferring their data and even keep third parties from processing their data.
Data portability enforces the requirement for enterprises to provide the data subject with a copy of his or her data in a format that allows for easy use by another enterprise. When providing PII data, an enterprise must redact the PII of individuals other than the person requesting the data.
The GDPR requires that subjects give explicit consent for the collection, processing, storage and transmission of the PII data. Under the GDPR, consent must be freely given, specific and informed. Additionally, GDPR requires that a data subject reviews a statement and signifies via explicit action to their agreement to the collection, processing, storage or transmission of that subject’s PII data.
When it comes to enforcement, each country has its own privacy and information office. These are collectively known as the GDPR Supervisory Authorities (SA), also known as Data Protection Authorities (DPA). These groups are “national authorities tasked with the protection of data and privacy, as well as with monitoring and enforcing the data protection regulations within the European Union and United Kingdom.”
On the organizational level, the GDPR requires an enterprise, especially an international one, to designate a representative to be the point of contact for the country’s SA. The position known as the Data Protection Officer (DPO), reviews an enterprise’s operations to ensure they don’t violate the GDPR. A key responsibility of the DPO is to conduct a Privacy Impact Assessment (PIA). During a PIA, the DPO oversees an analysis of the PII data held by an enterprise as well as their security policies, allowing them to reduce the overall risk of a PII breach.
Fines and Consequences
Violations of the GDPR requirements can come from many sources, from data subject complaints to large scale data breaches due to cybersecurity issues. Companies are just beginning to feel the wrath of consequences for violating the GDPR. Authorities can impose material fines up to €20,000,000 or 4 percent annual worldwide revenue, whichever is higher, for serious violations to the GDPR. Just recently, the CNIL, a French data protection watchdog, issued a $57 million fine to Google
saying the company failed to comply with the GDPR when new Android users set up a new phone and during the phone onboarding process.