GDPR Insurance: Coverage for Fines Hard to Find But Other Non-Compliance Costs Insurable

The civil fines for non-compliance with the European’s new data privacy law can be steep but organizations across Europe should not expect to have their insurance cover them.

Unless the business or organization is in Norway or Finland.

A “price of data security” guide by Aon and DLA Piper of the availability of insurance for General Data Protection Regulation (GDPR) infractions revealed that businesses are on their own in most countries. Finland and Norway are the only two countries where insurance for fines might be found. In 20 out of 30 reviewed jurisdictions, GDPR fines are generally not regarded as insurable. These include the UK, France, Italy and Spain.

Insurance broker Aon and the DLA Piper law firm launched the guide ahead of the May 25 effective date of the GDPR.

The guide reviews the insurability of GDPR fines across Europe, which can reach up to €20 million or, if higher, up to four percent of a group’s annual global turnover.

The guide also looks at insurability of costs associated with GDPR non-compliance including litigation, investigation and compensation, as well as the insurability of non-GDPR regulatory fines.

The authors note that while the insurability of GDPR fines may be limited, insurance should be part of an organization’s risk management strategy to manage costs associated with GDPR non-compliance and resulting business disruption losses. Such costs could include legal fees and litigation, regulatory investigation, remediation and other costs associated with compensation and notification to impacted data subjects.

Prakash Paran, partner and co-chair, Global Insurance Sector at DLA Piper, said that while there are only a few jurisdictions where GDPR fines are insurable, “insurance against legal costs and liabilities following a data breach is widely available across Europe and may provide valuable cover to organizations.”

Corporate groups must also consider “reputational damage and impact on existing customers, the wider market, and their relationships with regulators, all of which may go beyond quantifiable financial losses. Prevention is better than the cure,” Paran said.

The guide highlights that there are currently only a few jurisdictions in Europe where civil fines can be covered by insurance and, even then, there must be no deliberate wrongdoing or gross negligence on the part of the insured. Criminal penalties are almost never insurable. GDPR administrative fines are civil in nature, but the GDPR also allows European Member States to impose their own penalties for personal data violations.

In eight of the jurisdictions it is unclear whether GDPR fines would be insurable. In these jurisdictions specific details around individual cases, for example the conduct of the insured and whether the fine is classed as criminal, will need to be considered.

“GDPR will expose organizations to significantly higher risks related to how they manage and store personal data. Data breaches, and other cyber events, could see businesses face both major fines and extensive costs. It is therefore essential that organizations fully understand where their exposures lie. They should work closely with their insurance partners to ensure they have an appropriate risk transfer solution and incident response plan in place,” said Vanessa Leemans, chief commercial officer, Aon Cyber Solutions EMEA.

Source: Price of Data Security: Aon, DLA Piper