The International Underwriting Association (IUA) has issued a report highlighting a number of factors that may drive up both the volume and cost of claims against general liability policies as a result of the General Data Protection Regulation (GDPR).
As a result of this potential increase in insurance claims for data breaches, insurers should carefully consider whether policy limits and sub-limits currently in place are appropriate for the reality of new exposures, said the IUA.
Research undertaken by the IUA’s Liability Underwriters’ Group states that changes to the right to compensation for data breaches, lower thresholds for notifying such breaches and higher defence costs, are all factors that may have an impact on liability claims, together with the introduction of group litigation into data protection law, enabling consumer bodies to represent multiple individuals in mass claims.
The report, titled Data Protection Liability Extensions, discusses a number of other issues for insurers to consider as a result of the changing regulatory environment, including reviewing references to data protection legislation in policy wordings and examining current policy triggers, which may be on a claims-made or losses-occurring basis with quite different implications for the cover offered.
The report adds that underwriters may wish to review their existing risk management assessments, questioning, for example, the extent of a client’s GDPR compliance, as well as assessing the territorial scope of policies as this will influence the ability of claimants to call on their coverage.
The report also points out that under the GDPR, the threshold for notification of a breach is lower than that under the Data Protection Act 1998, which could lead to increased costs for UK companies and, in turn, insurers providing data protection cover.
The IUA notes that the GDPR is an EU regulation, and in the UK the Data Protection Act 2018 will introduce derogations from the European rules, in addition to providing clarity on how European standards will be applied. The IUA warns that referring to the GDPR alone “will not fully represent the legal position in the UK, not only because of the likely derogations, but also in view of the UK leaving the European Union”.
The report also highlights potential coverage overlap or discrepancies between language used in data protection extensions and cyber-specific extensions. “If there are extensions for both, there should be a clear divide between the coverage offered in each extension and an understanding of how they interact. If inadequately drafted, it is possible that cover under one provision is expressly excluded under the other, while cover that the insurer intended to offer might be erroneously excluded under one of the provisions.”
Full article on Commercial Risk (subscription required)
Full report on International Underwriting Association (subscription required)
© IUA - The International Underwriting Association of London Limited
Key
Hover over the blue highlighted
text to view the acronym meaning
Hover
over these icons for more information
Comments:
No Comments for this Article