US firms brace for data law falloutPosted On: Jun. 4, 2018 12:00 AM CST
The ability of European Union regulators to levy sizable fines under the EU’s new General Data Protection Regulation and uncertainty surrounding the insurability of the fines are particularly worrisome parts of the new regulation.
While some experts believe well-intentioned companies have little, if anything, to worry about, others warn regulators will be eager, particularly initially, to make examples of firms that stray from complying with its provisions.
Other concerns about the 100-page regulation, which took effect May 25, include a provision that calls for data breach notification within 72 hours of when companies learn of the incident.
Meanwhile, many expect the regulation to create a boom in demand for cyber insurance.
The GDPR affects any U.S. company that conducts business with or has employees in European Union countries. One critical difference between the GDPR regulation and U.S. regulations, say observers, is that underlying the EU regulation is a fundamental focus on the right to privacy, while U.S. regulations tend to be oriented toward data breaches.
While awareness of the regulation increased as its enactment date neared, at least some corporations remained unprepared, experts say.
“I would say a relatively small subset (of firms) are prepared,” and some who believe they are prepared are not, said John F. Mullen, a partner with cyber-focused law firm Mullen Coughlin L.L.C. in Wayne, Pennsylvania.
Matt Prevost, senior vice president with Chubb Ltd. in Philadelphia, said: “It clearly runs the gamut. I’d say the companies that do have the budgetary ability and also kind of the focus, historically, on cyber security, data security and privacy security — some of this they’ve been doing for years.” But, “we’ve seen some companies decide to shutter specific business segments based on this, or technological issues based on the complexity of GDPR.”
Attention has focused in particular on fines of up to €20 million ($23.9 million) or 4% of the prior financial year’s worldwide annual revenue, whichever is higher, that can be levied against companies for violating the regulation. It has “without question” caught clients’ “high-level attention as to the severity, or potential severity, of enforcement,” he said.
“That gives the regulators a very big stick,” said Max Perkins, London-based senior vice president with Lockton Cos L.L.C.
The question is how strongly this will be enforced, according to some experts.
“I personally think they’re going to make examples of companies immediately after we reach the deadline” and will be strict in their interpretation of the GDPR, said Shannon Groeber, Philadelphia-based senior vice president with JLT Specialty USA, a unit of Jardine Lloyd Thompson Group P.L.C.
But Philip L. Gordon, a shareholder at Littler Mendelson P.C. in Denver, said: “I tend to be in the camp that the maximum penalties will be reserved for the highest-profile companies with the largest impact on EU consumers as a means for EU data protection regulators to exercise leverage to impact their behavior.”
Matthew McCabe, New York-based senior vice president with Marsh L.L.C.’s cyber practice, said: “My understanding is, they’ll be used judiciously, and they’ll really be targeting bad actors.”
Insurance policies provide coverage for fines, but “one major thing we don’t know is, are they going to be insurable by law or are they going to be looked at as more punitive in nature,” with insurers forbidden to indemnify them, said Meredith Schnur, Summit, New Jersey-based senior vice president with USI Insurance Services L.L.C.
A guide issued by Aon P.L.C. and law firm DLA Piper last month said GDPR fines were insurable only in Finland and Norway of the 30 jurisdictions reviewed, while in others they are either uninsurable or their insurability is unclear. Coverage is also generally triggered by data breaches, not the data collection issues that may be violations under the GDPR, according to experts.
However, Ann O’Leary, Chicago-based senior broker with Aon’s financial services group, said some insurers “have started dipping their toes into providing more expansive coverage and broadening policy triggers,” particularly regarding wrongful data collection.
Another issue is customers must be informed of data breaches within 72 hours, which will be a challenge, say observers. In the U.S., firms typically have 30 days to notify consumers of data breaches, and rushing this information out so fast could lead to errors, they say.
In addition, the GDPR imposes equal liability on the data owners and their data processors, said Tom Finan, Arlington, Virginia-based client engagement and strategy leader for North America for Willis Towers Watson P.L.C.’s cyber solutions team. If a company’s third-party vendor is not in compliance, then “you’re not in compliance either,” he said.
Observers say the GDPR will lead to increased interest in cyber insurance. A report by American International Group Inc.’s European unit issued May 24 said a further surge in data breach and other security failure insurance claims is expected with the GDPR’s enactment. The GDPR will undoubtedly “incentivize more purchasing of cyber insurance” in the EU and U.S., said Mr. McCabe.