The General Data Protection Regulation raises the possibility of a potential increase in insurance claims for data breaches, a new report from the International Underwriting Association has stated. Insurers should, therefore, carefully consider whether policy limits and sub-limits currently in place are appropriate for the reality of new exposures.
Research undertaken by the IUA’s Liability Underwriters’ Group has highlighted several factors that may drive up both the volume and cost of claims against general liability policies. These include changes to the right to compensation for data breaches, lower thresholds for notifying such breaches and higher defence costs. The introduction of group litigation into data protection law, enabling consumer bodies to represent multiple individuals in mass claims, may also have an impact.
Chris Jones, director of legal and market services at the IUA, said: “The introduction of the General Data Protection Regulation (GDPR) means people are likely to be more aware of their rights, are legally entitled to notification of any data breaches and have greater scope for seeking redress.
“Each of these factors could lead to a greater number of claims and it is important that insurers understand how their liability products are likely to perform in the new data protection landscape.”
The IUA’s report, titled ‘Data Protection Liability Extensions’, also discusses a number of other issues for insurers to consider as a result of the changing regulatory environment. These include reviewing references to data protection legislation in policy wordings and examining current policy triggers, which may be on a ‘claims made’ or ‘losses occurring’ basis with quite different implications for the cover offered.
Underwriters may wish to review their existing risk management assessments, questioning, for example, the extent of a client’s GDPR compliance. A further factor to assess could be the territorial scope of policies as this will influence the ability of claimants to call on their coverage.
Members of the Liability Underwriters’ Group intend their report to be used both as a starting point for IUA companies to develop wordings for the new data protection regime and to help evaluate existing wordings. The document includes an underwriting checklist summarising key questions upon which underwriters may reflect.
Mr Jones added: “Data protection cover is commonly provided as an extension to liability policies. With the advent of the GDPR insurers have an ideal opportunity to evaluate whether these perform their intended functions.”