GDPR: Regulation with Wide Reach and Deep Consequences

By Cara Murray, Assistant Vice President, Alliant

Multinational companies are currently, or should be, preparing for the European Union’s General Data Protection Regulation (GDPR) to go into enforcement on May 25th 2018. The GDPR is replacing the EU’s prior information protection regulation, the Data Protection Directive, continuing the European Union’s strict requirements for organizations that collect and use information of EU citizens. On the whole, the regulatory regime in the EU is designed for the benefit of information subjects – the people whose information is being collected and used and stored.

The updates included in the GDPR are based off both the continued evolution of data-collecting technology and data usage, as well as the evolving regulatory regime relating to data around the world.

One of the major provisions of the GDPR is its applicability to any organization maintaining or processing data of individuals residing in the EU regardless of the location of the company itself. As data can move easily across borders, it is quite common for information to be processed outside of the region where it was collected and where its subject resides; this regulation now asserts that jurisdiction follows the data wherever it goes when it pertains to EU citizens.

From an information risk perspective, the following two provisions may be the most significant.

While it is widening the EU its jurisdiction through the GDPR, it is also narrowing its notification windows; the regulation requires organizations to notify regulators of a breach within 72 hours of first awareness of the breach event. Once the enforcement period starts, companies will need to have a clear plan in place regarding how to provide notification when they discover a data breach event, because they will not have time to learn through experience.

And the biggest headline-making aspect of the GDPR: companies can be fined up to 4% of annual global turnover or €20M (whichever is greater) for serious data-related infringements. The penalties are set up on a tiered basis, so more basic violations such as notification failures or record-keeping errors could be subject to fines of 2% of annual global turnover. That said, these are serious penalties, designed to push companies to actively obtain and maintain compliance, and with the teeth to seriously punish those who fall out of compliance.

At this very high level of review, it is clear the GDPR has significant potential impact for organizations around the world that in one way or another maintain information about EU citizens. With enforcement still on the horizon, it remains to be seen if that potential impact holds up in practice.

Fraudulent impersonation and cyber insurance

By: Cara Murray, Assistant Vice President, Alliant

The Treasurer gets an email from the CEO directing that money be wired out in connection with a hot new deal. Or a vendor emails a new invoice with updated wire transfer instructions. The money is sent. Except, the directions did not come from the CEO, and the invoice did not come from the vendor. These communications came from someone fraudulently impersonating them. The money has been stolen.

This “employee gets tricked into voluntarily sending money to a thief” kind of situation is what social engineering (or operational failure) fraud coverage responds to. Since the money has been stolen, a crime policy is the obvious first avenue of potential recovery. This is also the first place where insurers initially tried to deny coverage and then crafted policy language to provide the coverage, often with a sublimit and for an additional premium.

Another place a company may think to look for coverage in these social engineering fraud events is a network security and privacy / cyber policy.  As many of these fraudulent instructions come via falsified email addresses or through compromised email accounts, the issue is sometimes viewed as a cyber issue. That said, cyber policies tend to explicitly exclude loss of funds/monies/securities. That’s the main differentiator between cyber coverage and crime coverage when it comes to computer hacking – cyber covers the loss of data, crime covers the loss of money. Increasingly, though, insurers are offering to add social engineering fraud / fraudulent instruction coverage onto cyber policies.

In order to have fraudulent instruction coverage under a cyber policy, the exposure has to be specifically endorsed onto the policy. Several carriers have endorsements for this coverage for the cyber that carve back the exclusionary language to provide the coverage for the loss of money as a result of a fraudulent instruction event. As on crime policies, the fraudulent instruction coverage endorsed onto cyber policies is usually a sublimit.

Fraudulent instruction coverage as part of a cyber policy falls under the “First Party Coverages,” where it is added as its own insuring agreement most of the time, because the coverage is so different from what would otherwise be available under a cyber policy. The coverage triggers the same way it would in a crime form: when there is a fraudulently induced transfer of money based on instruction from someone purporting to be an authorized employee, outsourced provider, or customer of the insured, but who was not actually one of those parties.

So why would an organization want to have this coverage attached to their cyber policy versus attached to their crime coverage? A few differences in the structure of each kind of coverage suggest different strategies when it comes to overlapping coverage. First, the matter of the deductible – it is not uncommon for a company to have the deductible on one of their cyber or crime coverages be lower than the other. Second, the matter of limits – cyber carriers tend not to offer as high of sublimits as are available from the crime side. Additionally, a company having coverage under both the cyber and the crime effectively raises the total limit available for a fraudulent instruction event. Third, the policy type – crime coverage does not always have an aggregate limit, and so the sublimit that applies does so on a per occurrence basis, whereas in the cyber policies, the sublimit is offered as a single aggregate for the full policy period.

As there can be coverage for this kind of exposure under both the crime and cyber policies, it is also possible for a company to have coverage in both places. In such situations, one of the policies will need to be amended to specify that it will respond first in the case of a fraudulent instruction event. The decision of which policy should respond first will depend on the structural differences mentioned above.

With the right coverage, the story doesn’t have to end at “the money was stolen.”