New Cyber Privacy Regulations and Risks Impacting U.S. …... · 2019-10-16 · Creating a SWAT team of key internal stake holders and outside vendors Quantifying an insured MPL Having

10/15/2019

New Cyber Privacy Regulations and Risks Impacting U.S. OrganizationsWebcast for MMA Clients in Partnership with BakerHostetler and Beazley

Marsh & McLennan Agency LLC 1

Speakers

Dan HansonMMA Cyber Center of Excellence Co-Chair, Sr. Vice President of Management Liability & Client Experience

MMA Minneapolis

Marc ScheinMMA Cyber Center of Excellence Co-Chair, Risk Management Consultant

MMA New York

Lisa DickinsonMMA Cyber Center of Excellence Co-Chair,Senior Vice President, Executive and Professional Liability Practice

MMA Southeast

Laura JehlPartner, Privacy & Data Protection Group, Co-Leader, GDPR & U.S. Consumer Privacy Initiatives

BakerHostetler

Raf SanchezInternational Breach Response Manager

Beazley

Marsh & McLennan Agency LLC

Roadmap1. Understanding the Challenge

– GDPR

– CCPA

2. Impact of New Privacy Laws On Organizations– Compliance Challenges

– Possible New Laws

– Enforcement Actions

3. How Marsh & McLennan Agency (MMA) Can Help– Is Coverage Available for Privacy and Security Violations?

2


GDPR Snapshot• Became effective May 25, 2018

• Applies to organizations that:– Are “established” in the EU;

– Process personal data of EU “data subjects” when offering them goods or services (whether or not for payment); or

– Monitor behavior occurring in the EU.

• Key terms:– “Personal data”

– “Processing”

– “Controller” and “Processor”

• Max fine: greater of €20 million or 4% of worldwide annual turnover

3


Unforeseen Consequences of GDPR• Data subject rights

– Extensive resources required to respond to a request

– Use of requests by data subjects to bring complaints and lawsuits

– Fines associated with failure to respond to requests, late responses and non-compliant

responses

• Impact on organizations not established in the EEA– Cannot take advantage of lead supervisory authority mechanism

– Standard contractual clauses are not drafted for non-EEA countries

– Collection of data from the EEA by a non-EEA organization

• Costs of compliance

• Lack of harmonization among EEA countries in relation to guidance and

enforcement

4


GDPR – Key Changes

1. Mandatory Notifications

2. Extra-territorial Scope

3. Impact on Data Processors

5

Marsh & McLennan Agency LLC 6


CA Consumer Privacy Act (CCPA) Snapshot• Effective January 1, 2020

• Privacy

– Consumers have certain rights regarding their personal information Rights of disclosure, portability, opt-out

Businesses may not discriminate against consumers who exercise their rights

• Security– Businesses must implement “reasonable” data security

– Private right of action stems from security obligations

• Penalties– CA Attorney General may impose fines

– Private right of action for individuals

7


CCPA Penalties

• CA Attorney General

– May enforce CCPA, beginning either 6 months

after publishing regulations or July 1, 2020,

whichever is sooner

– 30-day notice and cure period

– $2,500 for each violation, $7,500 for each

intentional violation

• Private Right of Action

– Applicable only to security violations

– Up to $750 per consumer per incident or actual damages, plus other “proper”

relief

8


GDPR vs CCPA: Similarities• Extra-territorial reach

• Broad definition of personal information /

personal data

• Data subject rights of access, deletion, and portability

• Requirement to notify consumers of privacy practices prior to or at time of

data collection, including third parties with whom data is shared

• Notify consumers of changes to privacy practices

• Certain rights for children

• Time limits for fulfilling data subject requests

– GDPR: 30 days

– CCPA: 45 days

9

VS.


Only in the GDPR / Cross-Border Transfers• The GDPR imposes restrictions on the transfer of personal data outside

the European Union to third countries or international organizations

• Options for cross-border transfer of personal data under the GDPR include

the following:

o Adequacy decisions

o Appropriate safeguards

o Derogations for specific situations

• If no “adequacy” decision, “appropriate safeguards” – which are EC-

approved legal mechanisms – may be used to lawfully transfer personal

data out of the EU

o Model Clauses

o BCRs

o Privacy Shield framework

10


Only in CCPA• Right to opt-out specifically for the sale of personal information

• Establish specific communication channels for consumers

– Toll-free phone number and conspicuous link on website

• Rights applicable to “personal information” extend to information

about devices and households

• Recordkeeping on a 12-month basis (only required to provide

information once per year)

• Private right of action

11

VS.


Industry /

Operations Personal Data

Consumers in

High Risk

Jurisdictions

Retail

Higher Education

Financial Institutions

Healthcare

Technology

Direct to Consumer

Media

Goal:

Helping

MMA

clients

recognize

the risk &

their

exposures

What are the challenges as wediscuss the risk with our clients?


Getting clients to realize GDPR affects companies that are not just in the UK

Helping clients to invest in resources to make them compliant

Creating a SWAT team of key internal stake holders and outside vendors

Quantifying an insured MPL

Having clients understand the UK regulators are working with state attorney

generals in US to bring enforcement

Educating clients about CCPA

What are the challenges as wediscuss the risk with our clients?

Goal:

Empowering insureds to qualify and quantity their cyber risk using state of the art modeling tools


Tackling Compliance with GDPR

Compliance Challenges

• Legacy IT systems

– Many companies have cited outdated technology as a major factor in lack of GDPR compliance

– Companies have identified addressing existing technology as a major factor in CCPA

compliance

• GDPR is too complex, and new enforcement actions and guidance keep

coming

• Compliance is too costly

– Capgemini study found that approximately 36% of organizations have allocated at least

1 million euros to upgrades in 2019

14


(Partial?) Compliance with GDPR

15


GDPR Enforcement to Date• 281,088 cases reported by 27 supervisory authorities; approximately 63% of cases have been

closed (as of May 2019)

• 446 cross-border cases, with 205 leading to One-Stop-Shop (OSS) procedures with 19 final OSS

outcomes (as of May 2019)

• Fines imposed by 22 supervisory authorities; fines vary widely by country

• Most active supervisory authorities:* Germany, Hungary, Czech Republic, Bulgaria, Austria,

Romania and Spain

• Ireland has not issued a fine

• Top fined industries:* Finance, Professional Services, Public Sector and Healthcare

• EU courts have begun to award compensation for immaterial damages under Article 82 for

breaches of GDPR *Based on research from Mazars (September 2019)

16


Challenges

1. Changing regulatory landscape

2. Short time-frames for compliance

3. Compliance requires ongoing commitment

17


Enforcement – Areas to WatchAmounts of Fines and Focus Areas of Supervisory Authorities Differ Widely

Data Security/Personal Data Breaches

• Most frequent area fined/highest fine amounts.

• Significant Fines:

– UK: Announced intent to fine British Airways (£183.39 million) and Marriott (£99 million) for insufficient technical and

organizational measures in connection with personal data breaches.

– Bulgaria: After audit, fined National Revenue Agency €2.6 million in connection with insufficient technical and organizational

measures that led to personal data being accessible on the internet.

– Poland: Fined Polish retailer approx. €645,000 for insufficient technical and organizational measures. Retailer lacked

appropriate procedures to respond to unusual network traffic.

– Lithuania: Fined company €61,000 after audit revealed that company had, among other violations, failed to report a personal

data breach.

• Multiple other countries have issued fines for insufficient technical and organizational measures including France,

Romania, Germany and Italy.

18


Enforcement – Areas to WatchData Subject Rights• Multiple countries have issued fines in connection with controllers responses to data subject requests.

• Significant fine: Germany supervisory authority (Berlin) fined company €195,407 in connection with a series of

failures to compliantly respond to data subject requests.

Lawful Basis of Processing/Notice• Significant fines

– Greek DPA fined PwC €150,000 for violations of the processing of employee personal data. The company

processed employee personal data on the basis of consent; DPA found that performance of contract, legal

obligation and legitimate interests were more appropriate lawful bases. Fined also covered the failure of PwC to

provide proper notice of the lawful bases for processing.

– French CNIL fined Google €50 million in connection with its Android operating system, finding that the consent

obtained from the user was insufficient and the user was not provided sufficient information under Articles 13

and 14 of the GDPR.

Data Protection Officer (DPO)• Austrian DPA fined a company in the healthcare sector €50,000 in connection with its failure to appoint a DPO and

provide the required information to data subjects with respect to the DPO.

19


Beazley U.S. GDPR Claims

1. Frequently triggered by B.E.C. incidents

2. Non-prescriptive definition of “personal data”

3. Regulators requesting copies of reports

20


Insurance Coverage Available

Cyber Liability Policy can transfer some risk

• GDPR has required Cyber insurance industry to re-think what triggers the policy, how

we insured fines and penalties

• Cyber policy traditionally is triggered by a Network Security or Privacy event, challenge

for some carriers to cover regulatory actions not triggered by breach (such as audits

and other enforcement actions)

• GDPR / CCPA and enhanced “Regulatory” language is new, fluid process, not uniform

• Will continue to evolve

21


Considerations When Placing Coverage

- Engage in meaningful conversation with your MMA team

about your operations and risks

- Cyber coverage varies greatly between carriers, have a

clear risk management approach to assist you in the

Cyber purchasing decision

- Expect changes to Cyber policy every year

22


Insurance Coverage AvailableMarket constantly changing in 2017 60 standalone carriers now in 2019 over 200

Market place is constantly improving coverages offered. Regulatory, CBI, Reputational Harm,

Work Place Violence

MMA Cyber CoE reviews manuscript wording on bi-annual basis to ensure broadest coverages

available:

• GDPR endorsement

• GDPR plus endorsement

• Regulatory endorsement

23


Get Your Privacy House in Order1. Create a data inventory and map data flows, including

all data transfers:– Cross-border transfers

– Sales of data

– Sharing with vendors or third parties

– Third party processing of employee data

– Intra-company transfers (affiliates)

2. Review and update internal privacy and security polices

3. Update your online privacy policies and notices– GDPR and CCPA policies will require descriptions of categories of third parties

with whom data is shared

24


Get Your Privacy House in Order

4. Establish processes to respond to data subject rights

requests– IT considerations – how will you find the data to respond quickly?

5. Enhance vendor management processes (RFP,

contracting, audits)

6. Review recordkeeping practices and update for new

requirements

7. “Privacy By Design”

Ongoing tracking of evolving legislation

25


Takeaways

• Understand exposure to non-U.S. regulations

• Key developments forthcoming (EDPB guidance)

26


Takeaways

MMA

• A well crafted Cyber Liability policy is our best risk

transfer tool

• Negotiating responsive and expansive coverage is an

ongoing process

27


TakeawaysMMA

• The market place is constantly evolving to address new exposures

• Work with a cyber risk specialist who is able to identity your

exposure, has the tools to quantify and can articulate the coverage

enhancements to the C-Suite

• The regulatory environment around cyber risk has picked up

significantly over the past 24 months and we expect that trend to

continue

• Be on the look out for regulatory updates from MMA

28


Questions for the Panel?

29

MarshMMA.com

This document is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Marsh & McLennan Agency, LLC shall have no obligation to update this publication and shall have no liability to

you or any other party arising out of this publication or any matter contained herein. Any statements concerning actuarial, tax, accounting or legal matters are based solely on our experience as consultants and are not to be relied upon as

actuarial, accounting, tax or legal advice, for which you should consult your own professional advisors. Any modeling analytics or projections are subject to inherent uncertainty and the analysis could be materially affective if any underlying

assumptions, conditions, information or factors are inaccurate or incomplete or should change. Copyright © 2019 Marsh & McLennan Insurance Agency LLC. All rights reserved.

Documents

New Cyber Privacy Regulations and Risks Impacting U.S. …... · 2019-10-16 · Creating a SWAT team of key internal stake holders and outside vendors Quantifying an insured MPL Having