The General Data Protection Regulation (GDPR) went into effect in May. It applies to data processing by companies and organizations that operate within the European Union and those outside the EU that offer goods or services to individuals in the EU. The GDPR regulates controllers and processors of personal data, i.e., any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. Much of the focus on the GDPR has been on the reporting requirements—reporting must be done within 72 hours of becoming aware of a personal data breach—and the penalties, which can be up to 4% of a company’s annual revenue.
Those in the insurance industry are also focusing on cyber insurance and an anticipated uptick in liability claims. Reports that the GDPR has increased demand for cyber policies are not surprising. Cyber insurance has become increasingly important for businesses as cybercrime continues to be a growth industry with reports of annual profits of $1.5 trillion.[1] With the GDPR’s enhanced notification procedures, claims under cyber insurance policies are also anticipated to increase, even as debate continues over whether GDPR fines are “insurable.”
[1] See Darkreading.com, “Cybercrime Economy Generates $1.5 Trillion a Year,” Kelly Sheridan, 4/20/2018.