Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Beware: Cyberinsurance Won’t Protect You From GDPR Fines!

June 6, 2018

I know that headline will worry a lot of folks. On this side of the Atlantic, it is pretty routine for cyberinsurance to cover (if you pay the premium for it) the payment of fines. But as IT Governance reported on June 4^th, that's not true with the EU's General Data Protection Regulation (GDPR).

Insuring against fines would have been nice, especially as the GDPR gives supervisory authorities the power to issue penalties of up to €20 million (about $24.4 million) or 4% of an organization's global annual turnover, whichever is greater. U.S. organizations that are subject to the Regulation must elect one of the EU member states' supervisory authorities. However, it seems that no matter which member state an organization chooses, its laws don't allow for insurance against GDPR fines.

Aon's guide, The price of data security, found that almost all European countries prevent organizations from insuring against GDPR fines. The only exceptions are Finland and Norway.

The relatively good news is that large fines will probably be much less common than people have predicted. In most cases, supervisory authorities will only issue fines if other disciplinary action isn't deemed suitable. Even if fines are necessary, the maximum penalty will be reserved for flagrant or repeated violations of the Regulation. OK, that makes me feel a little better, but it still is a pretty big looming threat that can't be covered by insurance.

Although it's generally not possible to insure against fines, organizations can insure against other damages related to the GDPR. Depending on the circumstance of the violation, cybersecurity insurers will compensate organizations for the cost of:

Legal fees
Regulatory investigations
Incident response
Hiring a public relations firm to mitigate reputational damage
Notifying and compensating affected data subjects

A small number of organizations have already taken out GDPR insurance, but that number will no doubt grow. For the moment, entities are still scrambling to become GDPR compliant!

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson

Sharon D. Nelson, Esq.
President

Subscribe in a Reader

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Ride the Lightning

Beware: Cyberinsurance Won’t Protect You From GDPR Fines!

Subscribe for More!

Recent Posts

Listen to the Podcast

Disclaimer