The increase in financial penalties for non-compliance with data protection legislation was one of the most notable changes implemented through the introduction of the General Data Protection Regulations (GDPRs
). Since May 2018, businesses face being fined up to 4% of their annual worldwide turnover by the Information Commissioner’s Office (ICO) for data breaches, and 2% of their annual worldwide turnover for non-compliance with data protection legislation. A flurry of high profile fines (including a record £183m fine imposed on BA, and £99m on Marriott International) have demonstrated the risks and shown that the ICO is taking non-compliance very seriously indeed. The ICO’s stand, a spike in targeted cyber attacks (which could have detrimental data breach implications), and the fact that data is now being valued by businesses as a key asset, combine to make it paramount that businesses ensure that they have adequate protection against the financial and reputational consequences of a data breach.
Whilst the risk of damage to a business by a data protection breach is undeniable, calculating the potential loss from both financial and reputational perspectives is difficult to determine. The unknown risks create a problem when trying to assess the appropriate and proportionate approach to insuring and managing such risks, so what should businesses do?
Undertaking a data protection audit on your business is a good way of determining your data protection exposure, identifying where your risks lie, and is also a really good way of demonstrating compliance with the GDPRs. An audit could identify the value data holds within its business, the areas where work and security measures are needed, and include a review of the policies and procedures in place for managing data breaches.
Of course an audit will help to identify risk areas, but it doesn’t provide the protection needed, and considering insurance is key.
Cyber insurance - worth considering?
Since the introduction of the GDPRs, the specialist cyber insurance market has grown substantially: specific policies covering breach notification, legal fees and claims and stand alone cyber policies are becoming the norm. The increase in data risks and the introduction of standalone data policies has led to insurers reviewing their existing approach to policies and expressly excluding data breaches and data issues which may have previously be covered by other more general policies, such as professional indemnity insurance or director and officers insurance. Taking the time to consider your current protection and potential exposure could prove to be time well spent.
There are three other key ways of ensuring control on your data risk exposure:
What should you do today?
- Contracts – reviewing your existing contracts with customers and suppliers and creating an internal approach to liability and indemnities is useful. Looking at what caps on liability you have agreed to and what liability limits your suppliers and customers have agreed to will help to measure your potential exposure. Looking at whether you have provided unlimited indemnities and whether certain data related heads of losses are excluded in your contracts will also help identify what potential risk you are exposed to under such contracts.
- Mitigation - as already mentioned, a data audit is a good way of identifying risks and areas which need work. Once identified, taking positive protection measures and implementing adequate policies, training and procedures throughout your business will help to reduce the risk of potential data exposure.
- Accreditations – look at whether you can go beyond mitigation and seek to adhere to industry recognised standards in relation to data security to prevent risk. One high profile, government approved accreditation scheme is Cyber Essentials which enables businesses to take measure to protect against and therefore reduce exposure to data risks.
- Review your current insurance policies. If you have a specific cyber insurance policy, look at the policy and its exclusions to check if the protection is adequate in terms of protecting against penalties, compensation, claims and reputational damage. If you don’t have specific cyber insurance, look at your existing coverage closely to see whether data breaches are covered, and assess whether additional cover if required.
- Give serious consideration to a data protection audit – and follow through with putting protection in place and updating policies and procedures.
- Review your contracts with customers and suppliers to confirm and quantify liability limits and indemnities.
The potential risks to businesses for data breaches and non-compliance has increased dramatically in recent years, and whilst it’s difficult to quantify the risk of exposure, being aware of data risk areas and assuming a proactive approach to insurance and caps on liability will help you retain control and manage this rather uncertain area.
Rebecca Leeves is a Senior Associate in DMH Stallard’s Commercial team.