Author’s Note: The European Union adopted in April last year the General Data Protection Regulation, which has the potential to change the way cyber insurance is offered around the world. The rule takes full effect in 2018.
BDO Consulting Technology Advisory Services managing director Judy Selby took time to field Insurance Business’s questions on the matter. Here are her answers.
IB: How do you see the EU regulation changing the US regulatory environment?
JS: Generally speaking, US enterprises that handle or process the personal data of EU citizens will be subject to the provisions of the General Data Protection Regulation (GDPR)—regardless of where the company is headquartered. This means that US entities that transfer data to, from or within the EU will need to prepare to meet the regulation’s new requirements. The GDPR imposes liability on both the data controller and the processor, so these changes can have a significant impact on those conducting investigations or processing protected data. This includes when a US law firm or e-discovery service provider collects, processes and hosts data.
Since some of the GDPR provisions are stricter than US laws and regulations, many US businesses will need to tighten up their data protection standards to continue operating with EU citizens’ data. One notable difference between the EU and the US is the EU’s stronger emphasis on individual data privacy rights; this can be seen in the GDPR’s inclusion of EU citizens’ “right to be forgotten”. If a data subject makes this request, the controller must erase the subject’s personal data “without undue delay”, typically within a month. The controller must also inform other controllers about the individual’s objection. This makes it difficult for investigators, as they might find potentially relevant evidence temporarily or permanently unavailable—even though retaining that data may be legal in other jurisdictions or the erasure request may ultimately be unwarranted.
The balancing of GDPR regulations with US regulations will be challenging. Data processors will need to update their risk models, protocols for handling data, and contract terms and conditions. Companies may consider establishing “in-country” resources to avoid transporting data across borders and risking a complaint or enforcement at the border. They may also need to engage local counsel who have experience working with relevant data protection authorities (DPAs). It is also possible that DPAs may prohibit European clients from dealing with US vendors that do not comply with the new regulations.
IB: How do you see this affecting companies that earn revenues from using user data for commercial purposes? How do you see the US government and business community responding to the new commercial environment these rules will create?
JS: The GDPR requirements are lengthy and complex—and as such, companies may see a temporary slow-down in business or increase in costs as they adjust to the new regulation. Much of the potential impact also depends on how well companies disclose their practices and obtain consent, and how data subjects choose to respond to their newly defined rights. Under the GDPR, organizations must inform all data subjects of their rights prior to collecting their data. Subjects must then give “explicit” consent for any sensitive data to be used, and organizations must be able to show proof of this consent upon request. After the data is collected, data subjects can object to the data being used in any way (for example, for direct marketing purposes), as well as request the “right to be forgotten” (as aforementioned). Firms handling significant amounts of sensitive data must appoint a data protection officer (DPO) to oversee the implementation of these regulations.
As a result, companies will need be prepared to share a detailed analysis of their data flow, access, use and security controls, as well as policies and procedures, when asked. This increase in regulatory burden may cause some companies to increase their service fees to offset the additional costs. Organizations with fewer resources may also struggle to navigate and respond to data subjects’ requests and complaints in time, slowing down other business processes. Overall, companies will need to rethink their contracting and consent processes and their interactions with new and current customers.
Finally, there are heavy financial penalties for non-compliance: €20 million or 4% of annual worldwide turnover for groups of companies (whichever is greater). Larger organizations, particularly those in the technology industry, need to especially prepare, as non-compliance can result in billions of dollars in fines.
IB: How will this affect online commercial activity between the EU and the rest of the world? Do you see the new regulation changing the way current online commerce is conducted across the globe? How?
JS: Cross-border data transfers and online commercial activity will be more stringently regulated under the GDPR. Data exporters will need to not only gain data subjects’ consent to use and transport their data, but must also ensure that their subjects are sufficiently informed about the risks of transfer. Data subjects can also ask to receive back their personal data in a structured and commonly used format so that it can easily be transferred to another data controller (known as “data portability”). Figuring out how to meet all these requests in a timely manner without interrupting daily business operations will be a challenge. In addition, companies must ensure they have justifiable reasons for transferring personal data to jurisdictions with inadequate data protection regulation. These issues may make online commercial activity between developed countries and emerging markets, or those with fewer data protection regulations, difficult.
IB: How will the new rules help shape the future of cyber insurance?
JS: The cyber insurance industry is already expecting a huge amount of growth over the next several years, as companies drive to protect themselves from the recent surge in cyber-attacks. This growth will be further fuelled by the implementation of new regulations, including the GDPR.
GDPR requirements likely will drive many companies to re-assess their current cyber insurance coverage to determine whether or not they are sufficiently covered for potential GDPR-related liabilities. Coverage for breach response will be particularly important in light of the GDPR’s rigorous breach reporting requirements. Under the regulation, a “personal data breach” is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”. If a breach should occur, the data controller must notify its relevant DPA within 72 hours of awareness, when feasible. It must also notify the affected data subjects if the breach is likely to result in a “risk to the rights and freedoms of individuals” (notification does not have to occur if the breach does not). The GDPR also includes content requirements for notifications and sets forth limited exceptions to the notification rules. Comprehensive data breach response coverage, therefore, will be invaluable to help insureds comply with their GDPR obligations.
But breach response should not be the only area of concern. In addition to securing coverage for those liabilities, companies also should ensure that they have coverage for regulatory fines and penalties and for the wrongful or unlawful collection of data. Because there is no standard cyber policy, potential insureds must carefully consider their coverage options and negotiate for coverage that will meet their needs.
For insurers, the GDPR will require insurers to reassess their current products to determine if they adequately meet the liabilities imposed by the new regulation. In addition, insurers should be especially diligent when considering coverage for potential insureds, making sure to consider all potential data and operational risks that could lead to liability under the GDPR. For example, insurers should undertake to understand how their insureds collect and store protected data, and their relationships with third-parties involved in controlling and processing this data.
IB: What are the advantages and drawbacks of the new regulation?
JS: One big advantage of the GDPR is that, for most purposes, businesses will now need to deal with only one supervisory authority in the EU, rather than a different one for each EU state. “One-stop shopping” will simplify processes and reduce costs for companies that conduct business across several EU member states.
Nevertheless, the more stringent requirements will add an additional compliance burden and significant operational challenges for many companies, forcing the creation and implementation of entirely new ways of managing data that may not have existed before. In addition, EU citizens have the right to approach a DPA to lodge complaints at any time, which companies must now deal with in a timely manner. This may lead to additional costs and significant delays to business. In the extreme case, data controllers that do not set up the proper controls in time may find themselves unable to do business in the EU until they do so.
IB: How do you foresee the effectiveness of the rule in preventing major cyber-attacks in the future?
JS: Under the regulation’s Security of Processing (Article 32) provision, controllers and processors will be required to implement technical and organizational measures to cement a security level in line with the potential risk. Appropriate measures range from ensuring the confidentiality and integrity of data processing systems and services to the regular testing and evaluation of these systems. Data controllers must also conduct risk assessments to ensure that they understand the level of risks that they may be subject to, and how to best prevent them. The GDPR’s security provisions therefore may help mitigate the risk of future cyberattacks.
IB: How will the Privacy by Design and Default provision affect the delivery of services based on machine learning technology?
JS: The Privacy by Design and Privacy by Default principles are meant to ensure that stronger privacy controls are embedded in a system’s core functionality from the very beginning. First, the former requires services and businesses to account for the protection of any consumer data it uses during the entire lifecycle of the development of a product or service. The latter automatically affords consumers the principle of least privilege when it comes to the personal data newly acquired products or services can access from them. For products and services to gain access to more of their personal data, consumers will have to manually approve that access.
Since machine learning technology requires a great deal of data usage, companies using AI or developing AI products need to understand how GDPR’s frameworks apply in design. For example, since AI often uses existing data to generate more data (i.e. in the case of predicting the behaviour of certain groups), it is important that this newly generated data is also protected. However, knowing whether “explicit” consent was sufficiently given for companies to use and/or share this newly generated data can be unclear, as machine learning often infers personal details that were not originally intentionally shared. This will require organizations to thoroughly examine their product development processes and adjust internal controls so they’re in compliance with these new data protection principles.
IB: Is the two-year adoption period adequate time for insurers to cope with the major changes that are expected to take place with its implementation?
JS: While two years may have seemed like a long time, the GDPR will create significant operational demands that will make timely compliance quite challenging. Many organizations (especially non-European ones) will need to completely transform the way they collect and use personal information. The GDPR also contains numerous documentation requirements that will require considerable thought and effort, and the ability to accommodate the regulation’s new data subject rights may require major technical revamps. Insurers themselves will also need to prepare quickly. The anticipated increase in demand for cyber coverage must be met with adequate and knowledgeable underwriting and claims administration capabilities, so insurers should start thinking about how to hire and train people to fill those roles.
IB: What are the key points for compliance that insurers must look out for with the new rules?
JS: As mentioned, insurers will need to be cognizant of the fast turnaround time for reporting data breaches, as well as all the notification requirements should one occur. They will need deep knowledge of their insureds’ data management systems, and how to find critical information quickly should a data subject issue a request or complaint. They will also need to develop underwriting standards to adequately assess an entity’s GDPR-risk exposure when considering policy issuance.
Related stories:
Private cyber insurance provides adequate risk coverage: study
Morning Briefing: Cyber insurance market set to reach $14 billion