Does Cyber Insurance Cover Fines From Data Commissioner?

Caeva O'Callaghan | August 3rd, 2021


When a data breach is reported – and it must be, by law – there are several different costs and fines you could incur. But does your cyber insurance cover these?

Yes, it does. Under the third party liability section of your cyber insurance policy, you will have cover for any fines and penalties you incur.

However, depending on your individual circumstances and the nature of the GDPR breach, you may not be able to recover all costs.

In this article, we’ll cover questions such as:

  • What kind of fines are there for breaching GDPR?
  • Will my cyber insurance cover GDPR fines?
  • What is the DPC and ICO?

It’s important to be aware of all the possible consequences of breaking GDPR laws. Getting adequate cyber insurance in place is a good start, so read on to find out more about how your insurance can help with fines.

What is the DPC and ICO?

The Data Protection Commission (DPC) is the national independent data authority for Ireland. They are responsible for upholding the fundamental right of individuals in the EU to have their personal data protected. The DPC is the Irish supervisory authority for the General Data Protection Regulation (GDPR), and also has functions and powers related to other important regulatory frameworks.

The ICO (Information Commissioner’s Office) is the UK’s independent body set up to uphold information rights. It is a non-departmental public body which reports directly to the Parliament of the United Kingdom and is sponsored by the Department for Digital, Culture, Media and Sport.

Depending on where your business operates, you will need to report to one of these organisations should you have a data breach that could impact people’s lives.

After Brexit, the key principles, rights and obligations of GDPR remain the same in Britain. However, there are implications for the rules on transfers of personal data between the UK and the EEA.

If you have any questions about how your data management needs to comply with current laws after the transition period, contact the DPC or ICO.

About GDPR fines

Any cyber insurance policy worth its salt will include coverage for commissioner’s fines. However the fine print will state that it’s necessary for those fines to be “recoverable at law”. In simple terms, this means that if you are lawfully required to pay those fines, your insurance will not cover you. This is because fines are meant to be a deterrent, and if businesses are able to make an insurance claim to avoid paying due penalties, this deterrent effect is lost.

Companies and individuals aren’t able to use insurance to avoid the consequences of illegal actions. If you’ve been intentionally negligent with security updates, or intentionally allowed a data breach, you will not be able to recover any fines.

At least, this is what applies to businesses with other types of insurance. As of yet, there hasn’t been a case in Ireland where the courts had to decide if a data regulator fine can be lawfully covered by insurance. But, as GDPR fines can reach up to €20 million or 4% of annual global turnover – whichever is greater – so this ambiguousness isn’t exactly reassuring.

Other fines

Administrative fines are the commissioner’s attempt at recovering the cost of processing your case. Even if your initial claim is successful, you may still be liable for administrative fees during the investigative period.

When deciding whether to impose an administrative fine, one of the key considerations regulators need to keep in mind is not only if the infringement was on purpose or not, but also factors such as:

  • The severity and duration of the data breach
  • Whether your company has had a previous data breach
  • The type of personal data involved in the breach
  • Whether the breach affects the rights and freedoms of individuals

In other words, the DPC can add extra costs to your fine if they decide that the original amount isn’t punishment enough. To see if administrative fines will be covered by your cyber insurance, check your policy wording thoroughly.

If you have any questions regarding cyber insurance, pick up the phone or request a call-back from our insurance experts and we can help you choose the right policy for you and your business.

OUR CYBER INSURANCE SPECIALISTS

RACHEL DIXON

CAEVA O'CALLAGHAN

CAROLINE MCARDLE

All Information in this post is accurate as of the date of publishing.