As GDPR Takes Effect, Businesses Could be at Risk for Privacy Liability

Data protection rules are getting an overhaul in Europe, which likely will create a ripple effect that impacts U.S.-based organizations, regardless of whether they have European operations.

Starting Friday, May 25, the European General Data Protection Regulation (GDPR) will go into effect to update personal data rules, changing the requirements for organizations collecting and managing data. While GDPR was enacted to further protect the rights of individuals in controlling how their personal data is shared, the outcome is expected to be increased regulations and more stringent financial penalties assessed to organizations not compliant.

GDPR will affect companies located in the European Union (EU) and any businesses that have operations and customers there as well. Yet any company that processes or stores data related to at least one citizen of the EU could be faced with the potential of noncompliance. Many experts say that further regulations specific to the U.S. could be on the horizon.

GDPR should prompt U.S.-based organizations of all sizes to examine their Cyber Liability coverage to protect against data leaks. The global average cost of a data breach is $3.62 million, according to the 2017 Ponemon Cost of Data Breach Study. The number of U.S. data breach incidents reached a new high of 1,579 in 2017, up nearly 45 percent from 2016, according to the Identity Theft Resource Center.

“Organizations may not have the proper amount of regulatory coverage needed in the event a security incident uncovers poor data protection or less than transparent data collection and sharing practices,” said David Derigiotis, Certified Information Privacy Professional (CIPP), Corporate Vice President and National Professional Liability Practice Leader, Burns & Wilcox, Detroit/Farmington Hills, Mich.

Businesses that violate GDPR can lose up to 4 percent of revenue – not profit – with a cap of $24.8 million.

“Never has there been a larger spotlight on consumer privacy rights and data protection practices. It is really a culture shift for most organizations – not just Fortune 500 or Fortune 1000s,” Derigiotis said. For so many years data collection has been the name of the game. Get as much as you can as fast as you can for chopping, dicing, and analyzing. Now, under the GDPR, data collection has to be more meaningful, precise, and most important of all, transparent.”

Data subjects have a variety of rights under the comprehensive law including access to what information is being collected, erasure (data clearing), portability, and rectification to name a few. In order to comply with this, an organization must first know specifically what they are collecting and where it is kept—a challenge for many. “When working with clients there have been times I have asked three people within the IT department how many records they have and what data is being collected and received three different answers,” said Derigiotis. “If you want to try and comply with GDPR, that won’t work.”

The GDPR impact

The enactment of GDPR brings added exposure for any business with the potential of collecting personally-identifiable information on EU citizens. Businesses that violate GDPR can lose up to 4 percent of revenue – not profit – with a cap of $24.8 million.

“Reviewing your Cyber Liability policy, especially in the wake of increased governance, can go a long way toward providing necessary protections.” – David Derigiotis, Burns & Wilcox

Among the many provisions of GDPR are: the appointment of a data protection officer; implementing technical and organizational safeguards such as encryption and data minimization practices; expanded notification rules when a data breach occurs; the forbidding of certain data transfers and a transparent process of providing access to records if requested by consumers. The definition of what constitutes personal information is broad and includes such identifiers as: location data; name; physical and psychological characteristics; and generic, economic, cultural or social identifiers. “This could make it difficult for organizations to understand how to fully comply,” said Michael Schultz, Senior Broker, Professional Liability Center of Excellence, Burns & Wilcox, Detroit/Farmington Hills, Mich.

“Every business has cyber and privacy exposures, and any business that targets or collects information on EU citizens, even if indirectly as a processor, needs to be in compliance with the GDPR,” Schultz added.

Among the many U.S. businesses to be affected could include online retailers, technology companies, data brokers, marketing and advertising firms, subscription services, and hospitality services.

“Many companies do not know what information they have,” Schultz said. “This can complicate the response times, and internal audits should occur so businesses know what information they have and where it is stored.”

Companies must be transparent

It is incumbent on organizations that manage consumer data to show that they are taking steps to protect it, and that they are not using data for purposes other than what they state, Derigiotis said. More than anything it comes down to transparency with how they are collecting and using data – and if there is an issue, that they take immediate steps to remedy.

“Transparency is one of the big keys,” Derigiotis said. “No one can 100 percent prevent a data breach, but you have to check all the boxes. You want to make sure your privacy policies are easy to understand and your organization knows exactly where all of the information resides. This is of course easier said than done.”

There are many ways that Cyber & Privacy Liability coverage can help support an organization that suffers a breach. Policies can cover regulatory fines and penalties, compliance costs, business interruption losses, reputational harm, and even extend to IT staff overtime expenses, Derigiotis said. I view these policies as an investment in resources and your business as opposed to solely financial risk transfer. This is not your traditional insurance.

Review your Cyber policy now

Not all policies have provisions that cover such costs. That’s why reviewing your Cyber Liability policy, especially in the wake of increased governance, can go a long way toward providing necessary protections. Furthermore, as the Cyber insurance market evolves and grows, more insurance carriers get involved, which keeps options competitive, Derigiotis said.

Limit capacity and availability of coverage features are very strong right now. Tailoring the right policy will depend on several factors ranging from the industry of operation to the size of the company to what security measures are in place. While costs can vary greatly, a starting point for a Cyber Liability policy is typically $1,000 per year for $1 million worth of coverage, Derigiotis said.

“It’s a field that is changing all the time, so if you have not had your Cyber policy updated in two years, the options now are vastly different,” Derigiotis said. Organizations operating in heavily regulated industries, such as healthcare, financial services and education, for example, can experience higher costs should a security event occur.

Information on how to self-certify for GDPR can be found at www.privacyshield.gov.

As with any coverage need, an insurance broker or agent must be consulted. Click here to forward this article to your insurance broker or agent to ask if you need this coverage, or share this with clients to start the conversation and ensure proper protection.

This information was provided by Burns & Wilcox, North America’s leading wholesale insurance broker and underwriting manager. Burns & Wilcox works exclusively with retail insurance brokers and agents to assist clients like you with their specialty insurance needs. Ask your insurance broker or agent if Cyber Liability Coverage is right for you. Burns & Wilcox is a proud sponsor of the Identity Theft Resource Center.