November 2017
Liability insurers are facing a huge increase in potentially silent exposures as a result of the increased litigation and compensation claims expected following implementation of the EU General Data Protection Regulation (GDPR).
A DAC Beachcroft report that polled lawyers across the EU found that 80 percent of respondents expected the GDPR to increase litigation and compensation claims – which are typically insurable under liability policies.
“Litigation can really cost insurers and this increasing exposure is potentially a sleeping giant,” DAC Beachcroft partner Hans Allnutt told The Insurance Insider. “This issue is going to be acute in the UK because of a favourable litigation regime, but our report shows this is a pan-European issue.
“Because the GDPR is also aimed at corporations outside Europe, the GDPR represents a global data risk.”
The GDPR, which reforms existing data protection law and comes into force in May 2018, requires companies to notify clients of a data breach within 72 hours of discovery, and enables individuals to claim compensation for data protection breaches.
“There is an increasing recognition of the need to put individuals back in control of their privacy and personal data against the backdrop of big data,” said Allnutt. “The balance of power is tipping away from companies. This is reflected by increasing litigation across the whole of Europe. GDPR supercharges that trend.”
The maximum fine for breaching GDPR rules is the higher of EUR20mn ($23mn) or 4 percent of a company’s total worldwide annual turnover.
Cover for GDPR compensation claims and legal costs is available under affirmative cyber policies, but Allnutt warned there would also be claims submitted under several types of liability policies, such as professional and general liability.
Insurers are getting their head around silent cyber because of recent statements issued by UK regulator the Prudential Regulation Authority, but they should also be aware of silent data risk, he said.
“The same attention to wordings needs to be given around the silent data risk with the GDPR,” Allnutt added.
Current Data Protection Act-insuring clauses and exclusions need to be scrutinised now in anticipation of the GDPR coming into effect next May, he continued.
“Just as for cyber risk, insurers need to decide their appetite for insuring liabilities for privacy breaches. They should be aware that privacy liabilities extend beyond just the GDPR, so if they do not want to insure this risk, they should look at their current exclusions and be mindful that a simple GDPR exclusion might not be wide enough.”
One grey area is the insurability of GDPR fines. Allnutt said it was difficult to cite a single law that explicitly stated that GDPR fines were uninsurable.
“The lack of clarity over whether fines are insurable has caused some frustration but I do think the issue is akin to sanctions exclusions,” he said. “Everyone accepts that an insurer would not make a payment to a company that would breach sanction laws.”