GDPR: A Catalyst for the European Cyber Market

When the European Union General Data Protection Regulation (GDPR) came into effect in May 2018, we in the cyber insurance industry all wondered how zealously each national enforcement agency would levy fines for the inevitable infringements. Aside from the special case of Google’s €50M fine for a tech giant that was already in regulators’ sights for alleged antitrust violations (CNIL 2019, 1–3), fines by all other regulators against all other firms not named Google totalled only €6M in the first year of the GDPR (EDPB 2019a, 13).

Were regulators not inclined to impose large GDPR penalties? Were regulators taking their time processing the 90,000 self-reported data breaches and 145,000 consumer complaints already received (EDPB 2019b, 1)?

Now we know that at least the UK’s Information Commissioner’s Office (ICO) was merely taking its time. On successive days, the ICO issued fines of £183M to British Airways and £99M to Marriott International for their widely publicised data breaches. These represent fines of approximately 0.6% against 2018 revenues of $20B for Marriott (Statista 2019a, 2018–2019) and 1.75% against 2018 revenues of $13B for British Airways (Statista 2019b). The stiff penalties indicate that the ICO will act emphatically against firms that leak consumer data to apparent cyber criminals; display substandard, inconsistent, or negligent security practices; or show any delay in reporting and remedying the breach.

At the same time, by staying under the GDPR’s penalty threshold of 4% of annual revenue, the ICO has signalled that it could have been worse. The highest fines will presumably be reserved for companies that are judged to have intentionally violated the GDPR, collected data inappropriately, concealed or failed to remedy the breach, or refused to cooperate with the investigators. Although they do not set any formal precedent for other regulators, the ICO rulings may spur other countries to up their game in “dissuading” companies from trespassing GDPR requirements.

After these sobering reprimands, firms across many market sectors will be re-evaluating their risk of becoming another costly example for GDPR regulators. CEOs and board members will be asking, "Could this happen to us?” With this growing awareness, the door stands open for insurers to step in as trusted advisors to their clients on how to address complex data security, privacy, and system availability.

Our industry’s risk management expertise can motivate conversations about the evolving risk landscape. Telling the story of claims paid for prior data breach incidents (or not paid due to lack of coverage) will be compelling. Many of these examples will predate GDPR enforcement, but explaining what additional regulatory actions and fines might have been applied under the newer guidelines will make them pertinent. Additionally, the very act of completing a cyber insurance application is an opportunity to bring stakeholders together to reflect on cybersecurity hygiene and GDPR compliance preparedness.

These recent GDPR enforcements are a wake-up call and an opportunity for firms to ensure that their people, processes, and technology are resilient in the face of cyber threats. By leveraging the combined data breach experience and best practices of their entire portfolio, cyber insurers are well positioned to advise and support their clients on that journey.

References

CNIL. 2019. “The CNIL’s restricted committee imposes a financial penalty of 50 Million euros against GOOGLE LLC.” https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llc.

EDPB (European Data Protection Board). 2019a. “First overview on the implementation of the GDPR and the roles and means of the national supervisory authorities.” http://www.europarl.europa.eu/meetdocs/2014_2019/plmrep/COMMITTEES/LIBE/DV/2019/02-25/9_EDPB_report_EN.pdf.

EDPB (European Data Protection Board). 2019b. “GDPR in numbers.” https://ec.europa.eu/commission/sites/beta-political/files/infographic-gdpr_in_numbers_1.pdf.

Statista. 2019a. “Revenue of Marriott International worldwide from 1999 to 2018 (in billion U.S. dollars).” https://www.statista.com/statistics/266279/revenue-of-the-marriott-international-inc-hotel-chain/.

Statista. 2019b. “British Airways Plc’s worldwide revenue from FY 2010 to FY 2018 (in million GBP).” https://www.statista.com/statistics/264296/british-airways-worldwide-revenues-since-2006/.