When the European Union’s updated General Data Protection Regulation (GDPR) went into effect on May 25, 2018, media reports focused on the potentially massive fines that the regulation authorizes – the regulation authorizes fines of up to €20 million or 4 percent of a company’s annual worldwide revenue, whichever is higher, for noncompliance with the regulation’s strict data collection and use requirements. The possibility of regulatory fines of this magnitude immediately raised the question of whether or not insurance is available to protect companies against the huge financial exposure. The answer to this question, it turns out, is complicated.
For many years now, there have been policies available in the insurance marketplace for privacy-related claims and losses. Many companies these days include a privacy and network security policy as a standard part of their corporate insurance program, and more companies are purchasing the coverage all of the time.
As a result of competition and innovation, the coverage available under the typical privacy and network security policy is much improved from even just a few years ago. With respect to the questions surrounding the insurability of GDPR fines and penalties, it is important to note that most well-constructed privacy and network security policies include a separate insuring clause for regulatory defense and regulatory fines and penalties. Many privacy and network securities policies even specifically mention the EU data protection laws in their definition of “privacy regulations.”
The regulatory coverage is of course subject to all of the policies terms and conditions, including significantly the policy exclusion precluding coverage for “ a willful, intentional deliberate, malicious, fraudulent, dishonest, or criminal act or omission,” subject to a requirement that final judicial determination has established that the precluded conduct occurred.
Most importantly, the regulatory coverage available under most privacy and network security specifies the coverage is provided only “to the extent insurable by law.” The as yet unanswered question is whether GDPR fines and penalties are insurable under the applicable law, regardless of what the policy provisions might otherwise say. While the insurability question may vary according to applicable law, the likelihood in many jurisdictions is that GDPR fines and penalties would not be insurable.
As discussed in a report issued jointly by AON and DLA Piper just before the update GDPR regulation went into effect in May (here), under applicable local law and public policy principles, there are only a few jurisdictions in Europe where civil fines can be covered by insurance, and even in those few jurisdictions, there must be no intentional wrongdoing or gross negligence involved. The report’s authors reviewed the applicable laws in 30 European countries and concluded that GDPR fines would likely be insurable in Finland and Norway, but that in 20 of the 30 countries reviewed (including, for example, Portugal, France and the U.K.) the fines are not insurable. The law is unclear in the eight remaining countries reviewed.
It is important to keep in mind that while the report focuses on the question of insurability in Europe, GDPR’s potential scope sweeps far beyond just companies based in Europe. The regulation also applies to organizations that offer goods and services to, or monitor the behavior of, European data subjects, even when those organizations are located outside of the EU. The likelihood is that sooner or later companies based outside the EU will find themselves having to answer to EU regulators (or their in-country counterparts) about GDPR compliance issues. As a result, the question of insurability is likely to arise not just under the laws of the 30 countries the report reviews, but under the laws of many other countries as well.
We are only in the early days of the regulation’s applicability, and we have no experience to suggest how all of this will play out in actual practice. As one commentator noted in a November 9, 2018 Law 360 article entitled “Looming GDPR Fines to Spark Insurance Coverage Fights” (here, subscription required), even though there potentially could be significant public policy issues involved in trying to get coverage for GDPR fines and penalties, that doesn’t necessarily mean companies will never get coverage.
For starters, one uncertainty is the question of who might raise the public policy barriers against insurability. Of greatest concern is the possibility that the EU or country-specific regulators will act to bar insurance of GDPR fines and penalties, in order to ensure that the corrective force behind the fine or penalty is not dampened by a transferal of the cost to an insurer. And while we have no experience yet to say with any certainty, it has to be assumed that in many cases the insurer may be the one to raise the public policy barrier to insurability.
The regulatory coverage found in many privacy and network security policies doesn’t provide a sure path to overcome these obstacles and objections; rather, they give the policyholder a means by which to try to argue that the fines and penalties are covered.
To be sure, if insurers were to find themselves routinely absorbing massive GDPR fines, it seems likely that the insurers would change their practices, either with respect to the coverage afforded or with respect to the companies they would underwrite, and also with respect to the prices they charge.
It is important to note that there are other important insurance questions involved with GDPR regulatory proceedings beyond just the question of the insurability of the potential fines. For starters, the costs associated with responding to and defending against the GDPR-related regulatory proceedings could be massive. The regulatory coverage section of most privacy and network security policies expressly provides coverage for the claims related expenses arising from a regulatory proceeding. Under the laws of most jurisdictions, public policy concerns would not preclude coverage for claims-related expenses.
In addition, in many circumstances, the underlying event that might trigger a GDPR-related investigation might itself involve a host of costs. These costs might include, for example with respect to a data breach, remediation, public relations, breach notification, forensic investigation, business disruption losses, and similar costs. Subject to all of the policy’s terms and conditions, a company’s privacy and network security insurance policy could be available to protect the company against these kinds of costs. With respect to these kinds of costs, public policy considerations are unlikely to present the same kind of barrier as might be the case with respect to fines or penalties. For that reason, even if GDPR fines and penalties are not insurable, privacy and network security insurance will still be an important component of any organization’s strategy to manage its risks.
The Law 360 article to which I linked above contains a quotation of an interesting statement by a representative of the U.K Information Commissioner’s Office about the question of insurability of GDPR fines. After noting that there is nothing in the GDPR itself that either permits or prohibits insurance, the representative said that “A focus on insurance rather misses the point, and organizations should be looking to recognize the benefits of good information rights practices to their efficiency, reputation, and competitive edge.” In other words, while the insurance questions may be important, the more important issues are compliance and risk management.