Does your cyber insurance travel well? Okay, maybe insurance coverage isn’t everyone’s first choice as a travel companion, but it may well be worth your while to identify any non-U.S. risks, exposures, and liabilities and consider whether your cyber insurance coverage applies in circumstances arising outside of the United States. Most of the larger or established cyber insurers will include provisions that state that the policy will apply “anywhere in the world,” where legally permissible, which applies to both first-party losses and third-party liabilities. This is a helpful provision for any entity who may not anticipate large-scale non-U.S. exposure but would like the assurance that, if they capture EU data subjects’ personal data, for example, the policy will respond to regulations relating to that data. Many policies are explicit on that point and define “personal” or “confidential” information as that information that is considered “personal data” within the meaning of the General Data Protection Regulation (GDPR).
However, because many of the first claims and losses to test the limits of cyber policies have arisen exclusively within the U.S., most of the actual adjusting of such losses and handling of such claims has focused on retention of U.S. counsel, U.S.-based forensic vendors, and U.S. breach response firms. In other words, the policies typically will refer to U.S. panel firms and vendors. Though the policy terms may allow for the policyholder to select such firms and “consent will not be unreasonably withheld,” when faced with the urgency of responding to a ransom attack, the policyholder likely would find greater comfort where its insurance partner already had relationships or, at least contacts in place, with incident response teams outside the United States, where events or circumstances dictate the need for such assistance. Many U.S. lawyers are well-versed in GDPR compliance issues but even the most sophisticated firms will not be as familiar as local counsel with the process for notifying a non-U.S. regulator (this was particularly evident in the immediate aftermath of GDPR implementation, which provides a cautionary tale as other countries update data and privacy regulations).
Some policyholders have specific needs when it comes to identifying risks associated with cross-border data transfer issues. GDPR and now Brazil’s Comprehensive Privacy Law (LGPD) require that where any of their data subjects’ data is transferred outside their jurisdictions, the entity must provide an “adequate level of data protection.” These laws have “extraterritorial” consequences because the regulation follows the data, if collected within the jurisdiction, or an entity offers goods and services to their data subjects. Most cyber policies will have language that captures regulations that broadly address information that identifies an individual. However, policyholders always feel more comfortable when the regulations of jurisdictions where they are active are specifically addressed. This also would be important in the case of non-data breach scenarios, where a policyholder is responding to a regulator’s inquiry regarding data collection practices.
Many small and medium businesses now have some kind of footprint in China, for ease of access to vendors, suppliers, or contractors, and, of course, the scale of operations is significant for major corporations. China has recently released a draft of its Personal Information Protection Law (PIPL), which is a different approach to the U.S. and EU approaches to data. The Chinese law, like GDPR, has extraterritoriality provisions that apply to personal information that is “processed” outside of China, where an entity is offering goods and services to Chinese citizens (e.g., data minimization and purpose limitation protocols). Not surprisingly, the law prioritizes national security through data localization (data must be stored in China), cross-border flow restrictions, and continued surveillance powers. Companies can be limited or banned from processing data. Such dramatic measures may not trigger a “claim” or “loss” under some cyber forms. These are issues worth highlighting in discussions with your cyber broker or insurer, where your organization has any kind of access to or control of data outside the United States.