Sweeping New EU Cyber Security Rules Raise Insurance Questions for Canadian Companies
Who you gonna call - if you run afoul of New EU Cybersecurity Rules?
By Brian Rosenbaum, Head of Aon Canada’s National Cyber and Privacy Practice
With new European Union data privacy rules coming into force on May 25, Canadian companies will face a very different cyber security environment. Called the General Data Protection Regulation (GDPR), the privacy legislation imposes strict requirements and hefty fines that will reach far beyond the EU’s borders, including to Canada.
GDPR has an extra-jurisdictional effect. Canadian companies are calling Aon to ask two questions: if we are fined can we get insurance coverage for our legal defence? And if our defence is unsuccessful, can we get coverage to pay for the fines?
A new report from Aon Cyber Solutions and DLA Piper helps answer those questions. It reviews the insurability of GDPR fines across Europe, which can reach up to 20 million euros, or up to 4 percent of a group’s annual worldwide revenues if higher. A company can even be fined 2 percent for not having its records in order.
The report, titled “The Price of Data Security: A guide to the insurability of GDPR fines across Europe,” surveys whether countries’ legal statutes 1) allow insurance of fines and penalties for non-compliance with GDPR; 2) allow insurance against legal costs and liabilities following a data breach (e.g., litigation, investigation and compensation); and 3) allow the insurability of non-GDPR regulatory fines. It finds that while there are only a few jurisdictions where GDRP fines are insurable, insurance against legal costs and liabilities following a data breach is widely available across Europe.
Countries tend to fall into three buckets:
- Those where insurance of regulatory fines is strictly forbidden;
- Those where insurance of regulatory fines is either formally permitted, or where there is no formal legal or regulatory prohibition, and some experiential evidence to suggest the practice may be accepted
- Those where there is simply no coherent legal answer and previous inquiries have not been able to determine
It is will also be important to see how violations of the GDPR will actually be treated in various countries. It is a general tenet in insurance law that fines for criminal or quasi criminal offenses or for intentional violations of the law cannot be paid by insurance in many jurisdictions. It is generally against public policy. But it is not clear if all or some violations of the GDPR will be treated as criminal, quasi-criminal or intentional in nature.
Canadian companies involved in the EU have good reason to be concerned about their risk exposure. The GDPR casts a wide net, applying to any company that offers goods or services to EU residents, regardless of where it is located, as well as monitoring behavior that takes place within the EU. The strengthened rules apply, for example, to consent – it must be easily understood and easy to withdraw – data breach notification – it must be done within 72 hours – and the right to be forgotten, through the erasure of data. https://www.eugdpr.org/key-changes.html
The first thing Canadian companies can do is make sure they are compliant, then consider insurance. For two decades cyber insurance policies have been adapting to the changing risk and regulatory environment, notes Rosenbaum. Aon in Canada has adapted the wording in its cyber insurance policies in the light of the new GDPR to give clients the legal costs they need to challenge the GDPR fine and provide the client a fighting chance to get the fine paid if they are caught offside.
Click here for the report “The Price of Data Security: A guide to the insurability of GDPR fines across Europe.”