Recent events have shown that companies should be concerned about cybersecurity and data protection as well as the possible consequences for their businesses, of cybersecurity incidents.
In this article, we highlight:
• the different (civil and criminal) liabilities to which companies can be exposed, if their data protection systems are breached;
• the measures that can and should be taken to prevent, or limit the (financial and operational) impact of such events;
• the differences between the traditional and new types of insurance coverage, more geared towards the risks inherent in today's digital environment, which many companies would do well to look into as a possible and convenient measure to mitigate ‘digital' risks.
With the recent news of the Belgian army launching its own ‘cybersecurity unit' to defend the nation against cyberattacks and to react effectively to such attacks, as well as the increasing number of companies (both multinationals and SME's) that have become victims of such attacks (e.g. the Heartbleed bug), cybersecurity and data protection have become key concerns. It is, therefore, not surprising that many companies have already set up cybersecurity taskforces.
In this context, identifying the risks your company is facing, both from a technical and legal perspective, and taking appropriate (technical, organizational and legal/contractual) measures to mitigate these risks, may prove essential to
avoiding significant liability issues and irreparable harm to your company's business and reputation. If an incident does occur, having taken out appropriate insurance policies will significantly reduce the financial consequences for your business. However, many traditional insurance policies do not provide adequate coverage for cybersecurity issues. It is, therefore, worth taking a closer look at the terms and conditions (read: exclusions) of your company's current insurance cover in order to see whether you are adequately covered for these types of ‘digital' risks.
What are a company's legal obligations in terms of cybersecurity and data protection?
Whether a company is processing personal data (i.e. all data relating to an identified or identifiable natural person) as a data controller (determining itself the means and purposes of the data processing) or as a data processor (processing personal data on behalf of or to order for another entity), it is subject to certain obligations. Within the EU, such obligations are largely harmonized under the EU Data Protection Directive 95/46/EC, implemented by the Belgian Data Protection Act of 8 December 1992.
These obligations apply not only to companies that provide B2C services, but to any company processing personal data, including e.g. the processing of IP addresses, employee data or details of contact persons, the use of surveillance cameras, or the processing of personal data pursuant to a commercial or collaboration agreement.
All data processors are obliged to guarantee the security and confidentiality of the personal data they process, by taking adequate organisational and technical measures to protect such personal data from accidental or unauthorised
destruction, accidental loss, as well as from alteration, access and any other unauthorised processing.
Companies acting as data controllers must comply with additional requirements (information obligations, consent requirements, public notifications, etc.), including certain security obligations. In particular, data controllers must select a processor that provides adequate safeguards in respect of the technical and organisational measures for the intended processing and ensures compliance with these measures, in particular by contractual stipulations. The Belgian Privacy Commission has highlighted the importance of conducting risk assessments and implementing appropriate security measures that are well-documented, implemented and regularly updated. Data controllers should, moreover, secure
their servers and have adequate data breach alarm- and notification procedures in place if personal data security is compromised.
In addition, as an inherent part of the general security obligations of any data controller, whenever a data controller becomes aware of an incident in which data is lost, destroyed, altered or disclosed in a way that is likely to become
known to members of the public or to the authorities (e.g. via the media, the Internet, or complaints), the relevant authorities must be informed of the incident within 48 hours, and adequate information must be given to the public within 24 to 48 hours, at the latest after notification to the authorities. With respect to financial services providers and providers of electronic communications networks, even stricter requirements apply.
What are the risks that a company could face in the event of a data breach or other cybersecurity incident?
If a data breach occurs, and it appears that inadequate measures were taken to protect the company from such a breach, the company, acting as data controller, will, under the Belgian Data Protection Act, be fully liable. Not only may
such company be liable for civil claims from individuals whose data has been compromised, it may also incur serious criminal liability.
First, data controllers may incur civil liability for any damage resulting from infringements of the provisions of the Belgian Data Protection Act. When a company's database or security measures have been compromised and personal
data (including e.g. personal health information or credit card details) are unlawfully disseminated, any third party (in particular the data subjects concerned) may claim compensation from the company for the (financial, moral or
reputational) damage suffluding e.g. the processing of IP adered as a consequence of the breach. In such a case, the general rules of civil liability for fault/negligence will apply.
Secondly, the Belgian Privacy Commission is entitled to investigate any companies' compliance with the Belgian Data Protection Act. In view of the general European trend towards stronger data protection enforcement, targeted (sectorspecific) investigations can be expected. In particular with respect to processing of ‘sensitive' personal data (such as health-related data) and data transfers to the US, closer scrutiny and stronger administrative enforcement is expected.
Finally, the Belgian Data Protection Act contains criminal sanctions in the case of non-compliance with a variety of its provisions (including the general security obligation). Any infringement of these may lead to criminal fines varying from EUR 600 to EUR 600,000 (fines are not covered by insurance policies).
In addition, the court may order (i) the publication of its judgment in full or in part, in one or more newspapers, (ii) the confiscation of the carriers of personal data to which the offence relates, or (iii) a ban on managing any processing of personal data, directly or through an agent, for a period of up to two years.
Moreover, under the new EU General Data Protection Regulation (expected to be adopted by the end of 2015), penalties will be drastically increased, with proposed fines of up to EUR 100,000,000 or 5% of an enterprise's global annual
turnover, and data protection authorities are indeed expected to proactively monitor and pursue infringements.
How can a company be protected against the consequences of these risks?
Proactively data security risk assessments and legal compliance audits may prevent, or at least mitigate, the risk of serious liability issues. These liabilities generally relate to immaterial / intangible damage that is difficult to remedy once it has occurred. It is, therefore, equally important for companies to subscribe to appropriate insurance policies to counter the financial consequences of any cybersecurity incidents.
Traditional insurance policies, however, are generally insufficient to cover companies' liabilities and losses following a data breach or other cybersecurity incident.
Indemnity insurance typically only covers material damage incurred by a company (e.g. damage to the company building(s), machines, etc.). Damage to software, databases and electronic devices is often expressly excluded. In most indemnity insurance policies, any immaterial damage and damage caused by a virus, data loss or manipulation (hacking) is also excluded from the coverage. The company's loss of reputation or profit as a result of cyberattacks or
data leakages will, therefore, not be covered.
Civil liability insurance, which covers a company's tortious liability vis a vis third parties, is not properly suited to cybersecurity issues either. Although it covers the immaterial damages caused to third parties as a result of a
cybersecurity event (e.g. loss of profits, clients or reputation), the policy is generally limited to immaterial damage that derives directly from a material damage (e.g. damaged or destroyed goods).
In the event of data breaches or cybersecurity incidents, the injured parties usually do not have any material damage, except when their own (electronic) systems and/or devices are damaged. This would explain why a company's liability
in that respect, is largely outside the cover of a civil liability insurance policy. Furthermore, civil liability insurance often expressly excludes damage to third parties caused by the company's electronic information, devices, and/or
communication, or caused by a virus or hacking.
Electronic (equipment) all risks insurance constitutes an indemnity insurance covering damage to the insured electronic equipment and devices themselves. Loss of profit and reputation and other intangible damage incurred by a company
are generally not covered. Furthermore, these policies often exclude viruses and human error, the latter being one of the principal causes for cyber security incidents and data losses.
In response to the coverage issues, referred to above, insurers have developed new and more sophisticated products generally called cyber risk insurance products. These insurance policies are often tailor-made in response to specific
cyber risks to which companies are exposed. In Belgium there is no specific insurance legislation for cyber risk insurance. The common provisions of liability and indemnity insurance that apply, therefore, are those contained in the
Insurance Law of 4 April 2014.
First, such cyber risk insurance covers the civil liability of a company resulting from a breach of privacy due to the theft of data, the transmission of a virus, failure of security which causes network systems to be unavailable to third parties (including their financial consequences for third parties), intellectual property rights infringements, media activities of the company, etc.
Also, the existing management liability policies (‘D&O policies') could be extended to liabilities caused by cyber risks. If it appears that the management of a company has not taken appropriate measures to secure its databases, third parties could hold it liable for damage or loss resulting from a data breach.
Secondly, cyber risk insurance also covers the potential losses companies might suffer as a result of data breaches or cybersecurity incidents. Various covers are available: loss of profit, loss of data, business interruption, costs resulting from the repair and monitoring of the company's network, etc.
It is even possible to insure cyber crisis management (i.e. the costs of retaining public relations assistance or advertising to rebuild the company's reputation after an incident), a company's presence on social media (i.e. coverage for social media liability in one policy), and cloud computing (i.e. specific coverage for cloud providers and businesses that use them, in the case of a loss, theft and liability of the data stored in the cloud).
Conclusion
There are numerous (civil and criminal) liabilities associated with the responsibility of a company as ‘processor' or ‘controller' of personal data. As recent examples of cyberattacks and data losses have shown, the cybersecurity risks,
to which a company may be exposed, should not be underestimated, and they are ever increasing. Companies wishing to mitigate these risks as much as possible, are advised to be well-prepared and to undertake action on two different levels.
On the one hand, they should take adequate measures to prevent cybersecurity events from occurring, including both technical and legal risk assessments and legal data protection compliance audits. On the other hand, companies are
advised to obtain appropriate insurance cover against the different ‘digital' risks they are likely to face. As these risks are often not covered by, or are expressly excluded from, traditional insurance policies, a proper due diligence of a company's existing or prospective insurance portfolio, and, where necessary, the re-negotiation of such policies, could prevent unpleasant financial consequences if a data breach or cyberattack actually occurs.
Loyens & Loeff's data protection and insurance teams are ready to advise and provide assistance to companies on both these two levels. You may, of course, also get in touch with your own contact person within Loyens & Loeff if you require additional assistance or tailor-made advice.
