Insurers warned to assess data exposures ahead of GDPR

Policies across many lines could end up picking up claims, according to an expert

Insurers warned to assess data exposures ahead of GDPR

Cyber

By Lucy Hook

An “impending wave” of compensation claims and regulatory fines under the General Data Protection Regulation (GDPR) is likely to mean significantly increased data exposures for insurers, according to a cyber and data risk expert.

The GDPR, set to come in next May, will empower individuals to take redress against organisations for misusing their data, leading to increased litigation which could impact both dedicated cyber policies and other lines of insurance, says Hans Allnutt, partner and head of cyber & data risk at DAC Beachcroft.

“In the UK there is a common view that a breach of the GDPR is around the loss of data, when actually it’s much wider than that: it’s the misuse of data too,” Allnutt told Insurance Business.

The GDPR will implement a simple framework for individuals to claim compensation against companies that have misused their data, as well as bring in an entitlement for claimants to appoint not-for-profit organisations to pursue claims on their behalf.

That, coupled with a “relatively friendly” cost regime for claimants and claimant lawyers in the UK, is predicted to spur a wave of claims against companies – which insurers may end up shouldering, according to DAC.

“There has been a growth of cyber insurance policies and data breach policies specifically aimed at these risks around cyber losses and data breaches,” Allnutt explained.

“They are clearly going to be exposed by increased litigation, but ultimately that’s what those policies are designed to do. However, across other lines of indemnity and liability insurance, there is the potential to pick up these sorts of claims,” he went on to say.

In the same way that insurers have been warned to assess their silent cyber exposures across other lines of business, they should equally be looking at their silent exposures to data risk, the lawyer said.

“Ultimately, insurers need to identify that these claims are coming in, and decide on their appetite to pick up claims – not only under policies that are targeted directly at the risk, but also where they are going to pick up these claims on other lines of liability insurance,” commented Allnutt.

“They need to revise both express wordings that pick up these claims, because of the change in the name of the laws, but also exclusions too,” he explained. “They may have exclusions under those policies which exclude the Data Protection Act, but might not refer to the new GDPR.”

In a recent report from DAC Beachcroft, the coming GDPR legislation was described as bringing in “a whole new phase of privacy litigation.” The 18-month study found that over 80% of jurisdictions expect compensation claims for data protection breaches to rise under the GDPR.


Related stories:
Nearly a third of UK firms unprepared for GDPR – survey
Stakeholders weigh in on IDD, push for delay

Keep up with the latest news and events

Join our mailing list, it’s free!