The GDPR go-live date is right around the corner (May 25, 2018), which means it is time to double and triple check your insurance policies to make sure you are adequately covered for GDPR-related exposures. Unfortunately, coverage for GDPR-related exposures is not a given under stand-alone cyber policies. Many cyber markets are providing “GDPR Endorsements” that affirmatively provide a certain level of coverage for privacy-related aspects of the GDPR.
Without an exclusion or affirmative coverage grant, how do you know if your current cyber policy will cover you in the event that you are faced with an alleged violation of the GDPR?
Here are a few things to consider when evaluating a policy for GDPR privacy-related exposures:
Review relevant definitions such as Privacy Regulation, Privacy Regulatory Proceeding and Personal Information
(note: all cyber policies use different terminology, so refer to any equivalent terms). Confirm that a GDPR-related claim would satisfy these definitions. The GDPR defines “personal data” more broadly than U.S. laws define Personally Identifiable Information. Therefore, it is crucial to confirm that the relevant definition within the cyber policy matches the definition that the GDPR provides for “personal data” and “sensitive personal data.”
PRO TIP: Many of the current “GDPR Endorsements” will simply add reference to “the GDPR” to the definition of “Privacy Regulation” and/or “Privacy Regulatory Proceeding.” This may not be enough if the definition of Personal information is not broad enough.
Identify the “triggers” in the relevant insuring agreements and review defined terms within. The most likely relevant insuring agreements are: Privacy/ Security Liability, Regulatory Defense/Indemnity, and Notification Costs. (Again note: all cyber policies use different terminology so refer to any equivalent insuring agreements). Typically, the policyholder bears the burden of “triggering” the insuring agreements in any policy. In order to do this, the policyholder must satisfy all the various elements set forth within each insuring agreement. Therefore, one must look to each defined term within the insuring agreements to determine if all the requirements set forth by such definitions are or could be satisfied. Pay special attention to terms like “privacy breach” and “security breach.” Keep in mind that most policies require some sort of breach of security or privacy in order to “trigger” the relevant insuring agreements.
PRO TIP: The GDPR has a very specific definition of “personal data breach.” Be sure to compare that definition against the relevant term(s) within the policy.
Consider the “Territory” Clause. Another key policy provision to consider is the Territory Clause. Does your policy extend “true worldwide” coverage (i.e., will the policy respond to claims made anywhere in the world)? Will it provide notification cost to anyone in the world? Of equal importance is a review and consideration of all relevant definitions within the policy that make reference to a jurisdiction(s). Many policies will include wording within some exclusions, definitions or conditions such as “…or any federal, state, local or foreign law…” It is important to know if the word “foreign” appears in all locations and, if not, understand the implications.
PRO TIP: Pay particular attention to any inconsistency around the word “foreign.” If it appears in some places but not all, it is likely intentional from a coverage perspective.
Consider whether fines/penalties will be insurable. Typically, if an insurance policy provides coverage for fines and penalties, it is almost always subject to the caveat that coverage will only apply to the extent that such amounts are “insurable under the law.” The extent to which fines and penalties arising from violations of the GDPR are “insurable” is still an open item, and will vary based on a number of factors. As such, it is possible fines and penalties would not be covered at all.
PRO TIP: Look to see if your policy provides “most favorable venue” wording in regard to fines and penalties. Many times you will see this wording in connection with punitive damages only.