The EU Data Protection Directive, officially Directive 95/46/EC, is the European directive designed for the protection of personal data during processing and movement within companies. To put it simply, if you are a European business or one that has operations in the EU, and you handle customer data, then this directive will have an impact.
So what does this mean from an insurance perspective and how should brokers be advising their clients? Neil Gurnhill, cyber & technology broker at Safeonline outlines the key points.
Data is the new oil
Data has become the new must-have for criminals. It is easy to exploit, get hold of, and move around. It is extremely valuable; GP records, national insurance numbers, date of birth – all types of data are hot property as it allows criminals to commit highly lucrative fraud. The EU directive will clamp down heavily on companies that lose data regardless of how they lose it. Brokers need to communicate any potential changes to client’s cyber policies to ensure they are covered for costs associated with this directive.
Directive, not a regulation: It is compulsory
The EU directive will be compulsory for all EU companies and any non-EU company that has European operations or handles EU data. Fines and penalties for loss of data include a maximum of 5% of global turnover. From an insurance perspective, cyber take-up in the UK has been relatively slow due to the lack of legislation. Expect this directive to change that as organisations look to protect against these costs.
US/Canada should be seen as examples
In the US and Canada, stringent regulations around data processing has meant the cyber insurance market has grown rapidly. Whilst this EU directive has been a long time coming, it is widely expected to come into force in 2016 and stimulate demand for cyber insurance. However there will be a lack of education on the matter; brokers need to get up to speed with this class or work with a local Lloyd’s cyber broker who can provide valuable advice.
Notification fines & penalties
Notification penalties will form a large part of the EU directive; in the US and Canada there are strict procedures as to how organisations have to report data breaches, including time limits and costs per individual piece of data lost. According to the Ponemon Institute, the average fine per record lost is $154. For an organisation with 1m records breached, you would be looking at fines of $154m. Cyber insurance can help to cover this.
Change the role of risk managers
In larger organisations with over 250 employees they will often have a data protection officer. What the EU directive will do is give risk managers/data protection officers more considerations when thinking about insurance. Any broker worth their salt will be expected to understand the directive and offer advice from a risk mitigation perspective.