Where will the main exposure exist for Data Protection Officers (DPO's)/Chief Information Security Officers (CISO), who are operating as contractors?
We understand that helping a business become compliant with GDPR is not going to be an easy process in most cases. Measured advisory services will be needed to change a company’s culture to make them continuously more aware and compliant, whilst concurrent actions will also be needed, such as: improvements made to the documentation of policies and procedures and also recommending how to mitigate risk and make systems and controls more robust.
The level of responsibility to deliver the above is no doubt very high and any failure, or indeed alleged failure to deliver compliance will lead to a professional indemnity insurance exposure.
Some data protection consultants will be appointed on a non-executive basis. If this occurs, you are accountable to a number of stakeholders and government organisations, to make sure that you are fulfilling your duty and acting diligently and therefore you will have a directors’ & officers’ liability exposure (check your company has this policy in force and it covers you).
With the increased use of technology, the implications of a ‘hack’ or security breach can result in a range of losses to both the Data Protection Officers (DPO’s)/Chief Information Security Officers (CISO) and also the companies that they are consulting for. If this occurs, this will lead to a Cyber Liability Insurance exposure.
Other, slightly lower risks also apply, such as damaging property, or causing injury to people, employees falling ill/dying as a result of the actions of the business and damage/loss of equipment.
* Note that other risks to your business may apply and therefore this guide should not be solely relied upon. If you have any particular concerns, which are not addressed above, please contact us to discuss further.
What factors will contribute towards a risky environment?
Professional Indemnity Insurance
Designed to cover claims in respect of an alleged breach of the policy holders’ (in this case, data protection professionals) professional duty (error, negligence, omission etc.), which causes a third-party a financial loss. This policy is designed to cover the associated legal costs in defending the claim and any award of settlement/compensation made to the third-party claimant/s.
Directors’ & Officers’ Liability Insurance
Designed to cover claims brought against a director, officer or person in a position of management/seniority in respect of a ‘wrongful act’ committed in their capacity. Claims in this area can be very diverse, but the common claims are linked to breaches of legislation.
Cyber Liability Insurance
Designed to cover the losses incurred as a result of a cyber-attack/security breach. Cyber claims can be extremely diverse and often include costs associated with losses from Cyber-crime, loss of income from denial of Internet access, law suits brought against you by third parties, damaged systems and subsequent reputational harm.
Office Combined Insurance
Packaged offering which includes, public and employers’ liability, contents and property cover and reimbursement for losses associated with business interruption.
We would recommend that any Data Protection Officer (DPO’s)/Chief Information Security Officer (CISO), who is operating on a contractor basis should at least take out all of the above. Often, they will be mandated to hold certain covers (such as professional indemnity insurance) anyway and by doing so, they should have a better chance of winning more tenders as it should give their clients a degree of comfort.
In addition, it would be good practice for any Data Protection Officer (DPO’s)/Chief Information Security Officer (CISO) to make relevant checks on whether the company/ies that they are working for also hold at least the above covers, especially cyber liability insurance.
What limit of cover is needed?
It will vary depending on the size of the company, scope of work and calculation of a worst-case scenario loss, however, in our professional opinion we believe that the following minimums should apply. However, if there is the financial capacity to purchase more, this should be done:
- Professional Indemnity Insurance – £5,000,000.
- Directors’ & Officers’ Liability Insurance - £1,000,000.
- Cyber Liability Insurance - £1,000,000.
- Public Liability Insurance - £1,000,000.
- Employers’ Liability Insurance (legal requirement for companies employing/engaging personnel) - £10,000,000.
FAQ
“If I am not a contractor and instead I am directly employed by a company, does that mean I do not need my own insurance?”
Like working on a contracting basis, if you are directly employed by a company you will need to ensure that you have suitable directors’ and officers’ liability insurance for yourself.
Once you are directly employed by a business, you will hold a senior position and as you cannot be instructed by the company on how to handle security breaches, your decisions may become scrutinised by the board, which at worst case scenario could lead to members of the board suing you and without having suitable insurance protection in place, this could then leave your personal assets at risk!
If your company is not willing to purchase the cover, or add you to their policy, you do have the option of purchasing Individual Directors’ and Officers’ Liability Insurance which we can help with and can extend to cover several non-executive positions that you may hold.
If you are directly employed by a company as member of their staff (therefore not acting on a contracting/self-employed basis), you should not be required to hold Professional Indemnity Insurance, Cyber Liability Insurance or Office Combined Insurance, as you should be covered under the company’s policy/ies. However, we would always recommend that you double check the extent of cover to make sure you are suitably insured and also advise your company that they should purchase Cyber Liability Insurance, Directors & Officers Insurance and Professional Indemnity Insurance (if applicable).
What is General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) is being cited as one of the biggest shakeups to businesses in recent times and with the new data protection laws that came into force on 25 May 2018, there has been an increased emergence of, and demand for, up-to-date data protection professionals (Data Protection Officers - DPO’s/Chief Information Security Officers - CISO), as businesses will need expert assistance on how to become compliant and mitigate the chances of facing fines of up to €20m / 4% of annual turnover; whichever is larger.
Whilst it is clear that any DPO/CISO who is currently offering, or planning to offer their services to businesses, should be suitably qualified and ‘up to scratch’ with how the implementation of the GDPR is likely to impact organisations, because of the fact that there are still large grey areas surrounding this subject, there are a range of risk factors that all DPO/CISO’s should seriously consider.
We have covered below what we believe should be the main areas of focus for data protection professionals in respect of insurance and welcome any queries related to this topic.
Will businesses choose to outsource to a contractor, or will they directly employ a DPO/CISO?
Every business has different preferences and circumstances, so clearly there is no straight-forward ‘yes’ or ‘no’ answer to this.
However, it is reported that as the DPO/CISO, responsible for overseeing information security management, cannot be instructed by the board on how to handle, investigate or report a breach, if the board disagree with the approach taken it may leave them in a tricky situation, as they cannot sack their data protection officer for performing their duty.
In light of the above, we think that it may be more attractive for a company to appoint a third-party contractor (who would not be deemed to be a direct employee), as in addition to the business not having to handle additional employee related duties, if the board are dissatisfied with the actions taken by the contractor and subsequent results (could be large fines), they should have a clearer path for recourse because they are likely to make a claim on the contractor’s professional indemnity insurance.
What factors will contribute towards a risky environment?
We think that this arena will be particularly sensitive and generally speaking, potentially very risky to operate in and have summarised some of the contributing factors below:
- 1. The laws are new and there is no mechanism to be able to predict the future. Uncertainty will always bring elements of risk.
- 2. Due to the legal framework in the UK, the subsequent actions taken by the Information Commissioner’s Office (ICO) after a breach are likely to be challenged by companies who feel hard done by and therefore future case law will play a big part in determining how the legislation will be applied in practice. Again, no certainty yet.
- 3. The upscaling of the maximum fines. Under the Data Protection Act [1998] the maximum fine is £500,000. As of 25 May 2018, the maximum fine under the new Data Protection Act was increased to €20m/4% of annual turnover; whichever is larger.
- 4. The time-frame to notify a security breach must be met within 72 hours.
- 5. Unfortunately, it is reported that the majority of companies, especially SME’s, are worryingly unprepared for GDPR compliance and reports suggest that some companies are not even aware of it yet!
The above statements are examples of uncertainty, increased accountability and lack of preparation leading to panic and non-compliance. In terms of insurance, when these aforementioned factors exist, there is a heightened environment for claims and therefore setting up appropriate cover is vital for business continuation.