How will Cyber Insurance respond to GDPR-related incidents?
A policy should cover you for a wide variety of data-breach related covers, including:
- Crisis response to gain initial advice from experts
- IT forensics to discover the source of a breach and stop it at source
- The cost of establishing who has been affected, and to what extent
- The cost of notifying those affected – Credit and/or identity theft monitoring, if required
- Setting up a call centre for those affected
- Attend hearing such as with the Data Protection Commissioner
- Fines and penalties, once they are insurable – see note below
- Defence and court attendance costs and privacy related liability claims.
A note on insurability of fines and penalties under GDPR
As above, fines and penalties are covered – where they are insurable by law. What this means will likely vary from country to country within the EU.
There is debate amongst insurers and legal experts as to whether a fine by the likes of the Data Protection Commissioner, or their equivalent in another country where GDPR is in effect, would be considered criminal or punitive in nature.
From an Irish perspective, the indications from the Data Protection Commissioner are that fines will indeed be partially or wholly punitive. If that is the case, then it is unlikely that an insurer can legally pay a claim, as it would be deemed to go against public policy. For companies that hold / process the personal data of individuals in other EU countries, the situation will vary.
Coverage around GDPR should be as comprehensive as insurers can legally allow, and that in the absence of a legal precedent in each jurisdiction, no-one knows for certain whether the fines will be criminal, punitive, or neither. Insurers are adamant that they will pay fines where they can, and their policy wordings are very clear on this.