[BreachExchange] Is your senior team covered for GDPR breaches?

[Audrey McNeil]

http://www.irishnews.com/business/2018/06/19/news/is-
your-senior-team-covered-for-gdpr-breaches--1357247/

Just when you thought it was safe to return to the business pages, I'm
afraid this is another GDPR piece! The aim, though, is not more technical
jargon, but to provide a few thoughts that could safeguard your business,
and its directors and officers from a financially painful experience.

For those of us of a certain vintage, parallels have been drawn between
GDPR and the Y2K preparations of 1999. The issue then was to avoid dire
predictions that the Millennium Bug would end life as we knew it.

As it transpired, the ‘Bug' was one of the most over-hyped phenomena of
recent times. Few computers failed, life didn't end, and levels of cynicism
ratcheted up several points.

GDPR is different though. It's not a hypothetical problem - it is a
regulatory requirement with guidelines set out by the Information
Commissioner's Office (ICO) and can have serious implications for
businesses if the law is not adhered to.

To date, the ICO has taken a measured stance. Innocent oversights, at least
in the short term, are unlikely to bring financial ruin, but flagrant
disregard will be punished and businesses will fall foul of GDPR's
eye-watering fines.

Much has been written about those fines, but less has been said about other
sources of GDPR risk.

Company directors and officers have duties relating to good governance and
management. Failings on their part could leave them exposed to fines, legal
costs and damages. Breach of personal data under GDPR is now another area
of risk and the insurance industry is predicting a spike in claims over
such incidents. This could be individuals bringing claims for damages (e.g.
distress) due to a GDPR breach or even class actions. It is also worth
checking what type of cyber cover is in place for your business. Recently,
5,500 Morrisons staff successfully brought an action against their employer
because an employee maliciously leaked personal data online.

Given its technical nature some directors and officers may have mistakenly
delegated GDPR preparations without too much thought. Given the scope for
regulatory or civil action, these preparations should have highlighted how
the potential personal liabilities of directors and officers are covered.
Is there, for example, insurance in place to address legal costs or
reputational damage?

Businesses should have provision through directors and officers insurance,
and professional indemnity insurance. It is, however, a complex issue and
one that you should discuss as a matter of urgency with your insurance
broker, as although these will cover investigation costs, neither will
cover fines, should your company be found to be non-compliant.

There can be a fine distinction between activities carried out as a
director / officer and those conducted as a professional, and it may be
that there are 'gaps' in your cover. Wording can differ from policy to
policy and a discussion with your insurer on the cover available in light
of GDPR is recommended. You should also take advice on what an appropriate
level of cover is and the value of ‘run-off' clauses to protect directors
once they leave the organisation.

Clearly the first line of GDPR defence is to ensure that all reasonable
measures have been taken to protect consumer data and safeguard against
breaches. Not to have adequate insurance provision in place as well,
however, could present a serious financial exposure.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180619/6b3126db/attachment.html>