chevron-down Created with Sketch Beta.
June 04, 2019 Feature

GDPR: Does Coverage Exist for Fines and Penalties for Noncompliance?

By Margaret Reetz

Some insurance commentators like to describe the cyber market as being “in its infancy.” The brief history of cyber insurance, however, includes an early recognition of a demand for coverage of fines and penalties relating to breach notification and privacy compliance statutes. These provisions have been an important feature for U.S. policyholders while their insurers have gained considerable insight into identifying and managing the risks.

Typically, the policy language incorporates “most-favorable jurisdiction” provisions. As a matter of public policy, however, there appear to be fewer “favorable” jurisdictions in the European Union (EU)—compared to the United States—that would allow for insurance recovery of fines and penalties. With the implementation of the EU’s General Data Protection Regulation (EU) 2016/679 (GDPR), effective May 2018, this has become an important focal point given the regulation’s potential scale for fines, as well as the scope of the activity under scrutiny. Many legal advisers and insurance brokers are sounding notes of caution. While a certain level of anxiety is appropriate in anticipation of full-throttled GDPR enforcement, some groundwork has been laid that may help to frame the issues.

GDPR in Brief

GDPR, the EU’s updated data protection regulation, was the subject of over two years’ worth of intense commentary and preparation for implementation after it was enacted in April 2016. GDPR replaced the European Data Protection Privacy Directive, which established protections for the processing of personal data, including the free movement of such data. With GDPR, the EU sought to enhance protections, unify regulations across member states, and improve individual control over personal data, among other things. Key features of GDPR include:

  • Territorial scope applies to entities offering goods or services to EU data subjects or entities that monitor EU data subjects’ behavior (beyond EU).
  • Explicit consent is required to process personal data.
  • Individuals have the right to be informed (who is collecting their data and for what purpose) and to be forgotten (individuals can request erasure of data; data not to be retained).
  • Notification of a breach within 72 hours.
  • Additional compliance obligations are imposed on data processors and controllers (appointment of data protection officers; appropriate technical/organizational measures).
  • Supervisory authorities (SAs) (regulators from member states) may impose increased penalties that include fines up to 4 percent of total global annual turnover (revenue) or €20 million, whichever is greater. The maximum fines for administrative violations are 2 percent of revenue or €10 million, whichever is greater.

A handful of fines have been imposed by the SAs post-GDPR implementation. The Austrian Data Protection Authority issued a fine against an entrepreneur for installing a CCTV camera in front of his establishment. The regulator found this to be a large-scale monitoring of public spaces that is not permitted under GDPR and issued a moderate fine of €4,800. Portugal’s regulator issued three fines to a hospital, totaling €400,000, that related to violations of the principles of data integrity/confidentiality and minimization. One of these violations involved 985 users who were identified as “doctor,” but official charts from the human resources department reflected only 296 doctors as staff. In Germany, a social network received a €20,000 fine after a hack caused 808,000 email addresses to be leaked along with over 1.8 million user names and passwords.

Uber and Facebook were fined by EU privacy regulators in 2018, but these fines were based on pre-GDPR regulations. Commentators believe that post-GDPR, Facebook could face billions in fines as regulators investigate the September 2018 breach of 50 million users’ personal data (pre-GDPR, the United Kingdom (UK) imposed the maximum fine of £500,000 against Facebook for failure to protect users’ personal information relating to Cambridge Analytica’s data-harvesting).

Coverage for Fines/Penalties—Generally

As noted, cyber insurers are accustomed to providing some type of coverage for fines/penalties imposed under U.S. privacy regulations and breach notification statutes. While U.S. case law and regulations leave some gray areas, insurers follow the model relating to “punitive damages,” where “insurability” is analyzed on a state-by-state basis. Some jurisdictions allow for recovery of fines that are arguably “compensatory” as opposed to “punitive.” The language is usually drafted to give policyholders the benefit of that doubt. Cyber forms use language like the following:

  • a loss includes “civil fines or penalties imposed by a [governmental authority further to a regulatory claim] unless . . . uninsurable under the law of the jurisdiction imposing such fine or penalty;” or
  • “insurability of [fines/penalties] will be in accordance with the law in the applicable venue that most favors coverage.”

Member States Matter

The text of GDPR itself does not address “insurability.” Like the United States, a jurisdiction-by-jurisdiction approach is required. Some member states’ law may not explicitly prohibit the granting of insurance coverage for administrative fines; however, contracts that include refunds of fines for future offenses could be considered a “moral hazard.” The legal systems would consider the terms void because the terms have the appearance of creating incentives for unlawful behavior.

Mindful that GDPR conceivably poses a momentous shift, a couple of the larger broker firms promptly weighed in to help navigate the landscape. Aon and Marsh produced summaries and guides to GDPR fines and the potential for coverage. Their guidelines suggest that companies will have to consider several factors, including the following:

  1. the insured’s domicile;
  2. choice of law provisions within the policy terms;
  3. whether terms expressly provide coverage for an administrative fine under GDPR;
  4. differences in triggering terms, depending on the type of incident/violation; and
  5. where insurability for fines is unlawful or against public policy, examine coverage for potential recovery of other sums, e.g., investigation/defense expenses for an incident/regulatory action, claims by third parties, or costs to mitigate a breach.

The analysis suggests that direct recovery for fines/penalties may be allowable only in Finland and Norway. Norway proposed legislation so that GDPR fines would not be considered “criminal sanctions.” Finland does not allow recovery for grossly negligent conduct, but there is no prohibition against agreeing to indemnify regulatory fines. There is some uncertainty relating to whether specific jurisdictions would consider a GDPR fine to be a legally impermissible risk. Other jurisdictions may have no explicit prohibition, but such contracts (policies) could be deemed unenforceable as a matter of public policy (e.g., Croatia, Estonia). In 20 of the 30 jurisdictions analyzed, GDPR fines were considered not insurable.

Sinking In

When asked specifically about insuring fines/penalties, the UK’s ICO spokesperson commented that the focus should not be on insurance recovery but on compliance, emphasizing that “organizations should be looking to recognize the benefits of good information rights practice[s].” William Shaw, Are GDPR Fines Insurable? UK Watchdog Won’t Say, Law360, London (Sept. 19, 2018), In the immediate post-GDPR “glow,” regulators suggested a “we-will-work-with-you” approach, employing tools like temporary bans, assessments, and audits. Some suggest compliance efforts will reduce risks as entities eliminate or shrink the amount of data stored or managed. Meanwhile, EU member states are reporting increases in privacy complaints post-GDPR. At a recent conference, France’s regulator commented that the time for transition “is coming to an end.” The regulator said that “it’s time for action,” and there will be “teeth.” Jedidiah Bracy, Dispatch from Brussels: GDPR enforcement, guidance to come in 2019, The Privacy Advisor (IAPP, Nov. 28, 2018), Check the specific terms, but bite marks may be excluded as a bodily injury . . . however, a “most-favored” molar provision, probably not?

The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.

By Margaret Reetz

Margaret (“Peggy”) Reetz is a partner at Mendes & Mount, focusing on cyber/data security and privacy issues. She acts on behalf of insurers and their policyholders in managing data security/privacy incidents and claims, as well as technology, intellectual property, and media-related disputes. She may be reached at [email protected].