Tuesday, 12 June 2012
EU data protection law will need risk and insurance responses
A key part of current cyber insurance policies has been the provision of coverage for the costs incurred by a data breach, especially one that involves the loss of private or personally identifiable customer data. Up to now, the take up of these insurance products has come mostly from the US where it is mandatory for companies to inform their customers in the event of a data breach. However, the European Union is about to issue changes to its data protection framework and this should see an increase in insurance adoption by European companies.
At the annual Communications, Media and Technology Conference held by insurance broker Marsh last month, the assembled risk managers were given advice on the implications of new data protection laws by the UK’s Information Commissioner’s Office.
Risk managers were also given further advice from the legal community on how to draft an IT policy that conforms to the likely changes to data protection and also reflects the changing nature of technology—notably the growth of social media and the rise of cloud computing.
These technology changes are the main reason that European data protection law has been updated.
As David Evans, Group Manager, business and industry group for the UK Information Commissioner’s Office, stated: “Most of the data protection rules were drawn up before anyone sent an email, let alone used Facebook, so it needs to be updated and at the ICO we have been saying this for a while so we welcome the changes.”
Under current EU data protection laws, only public sector companies, internet service providers (ISPs) and telecommunications operators are required to notify customers in the event of a data breach.
But the newly revised data protection framework will make breach notification compulsory for everyone.
The new framework will mean improved rights for individuals. There could also be much harsher penalties for offenders, including the possibility of heavy fines of up to 3% of a firm’s global turnover.
Although Mr Evans said that the ICO generally welcomed the revised framework, he also expressed some reservations about certain weaknesses in the proposed directive, such as an overly prescriptive approach to certain details.
“We think it should be principles-based and that companies should be able to make the changes themselves rather than have us do it for them,” he said.
Mr Evans also cited the retention of certain categories of data that may be outdated and a lack of focus on privacy risk that could lead to a box-ticking exercise rather than a sincere effort to prevent ‘something bad’.
“Get your lawyers to look at this now,” warned Mr Evans. “What we don’t want is a compliance scramble where people wake up one morning and realise how much has changed. If you think there are things in the rules that horrify you, start working on them now. This is not something just dreamed up for the hell of it. It is there to protect people’s information and we want people to be compliant from day one,” he continued.
In one sense these cookies help websites to function more efficiently by remembering previous visitors’ preferences. However, these same cookies can also be used to build up long-term records of individuals’ browsing histories which is a privacy concern for regulators.
Previously websites had to inform users that cookies were in use and give them the option to opt out, however the new ‘consent for cookies’ law requires users to opt in.
The change came into force on May 26, 2011, yet more than one year on, compliance has been less than widespread, conceded Mr Evans. “We decided that we would try to be pragmatic. We would give people a year to be compliant and not enforce it with anyone before then. But it has been challenging,” he said.
Underwriters are similarly concerned about the changes to data protection and how they will affect Errors & Omissions policies and coverage for data breaches.
“These policies are generally broad and likely to have been in place for a number of years,” said Paul Bantick, head of TMB UK Speciality Lines at Beazley.
“Risk managers must make sure there are no exclusions for data breaches and that it covers regulatory-related losses. They should also ensure that the policy covers employees’ data and not just customers and ensure that a crisis management sub limit is added,” he added.