Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
10/15/2019
New Cyber Privacy Regulations and Risks Impacting U.S. OrganizationsWebcast for MMA Clients in Partnership with BakerHostetler and Beazley
Marsh & McLennan Agency LLC 1
Speakers
Dan HansonMMA Cyber Center of Excellence Co-Chair, Sr. Vice President of Management Liability & Client Experience
MMA Minneapolis
Marc ScheinMMA Cyber Center of Excellence Co-Chair, Risk Management Consultant
MMA New York
Lisa DickinsonMMA Cyber Center of Excellence Co-Chair,Senior Vice President, Executive and Professional Liability Practice
MMA Southeast
Laura JehlPartner, Privacy & Data Protection Group, Co-Leader, GDPR & U.S. Consumer Privacy Initiatives
BakerHostetler
Raf SanchezInternational Breach Response Manager
Beazley
Marsh & McLennan Agency LLC
Roadmap1. Understanding the Challenge
– GDPR
– CCPA
2. Impact of New Privacy Laws On Organizations– Compliance Challenges
– Possible New Laws
– Enforcement Actions
3. How Marsh & McLennan Agency (MMA) Can Help– Is Coverage Available for Privacy and Security Violations?
2
Marsh & McLennan Agency LLC
GDPR Snapshot• Became effective May 25, 2018
• Applies to organizations that:– Are “established” in the EU;
– Process personal data of EU “data subjects” when offering them goods or services (whether or not for payment); or
– Monitor behavior occurring in the EU.
• Key terms:– “Personal data”
– “Processing”
– “Controller” and “Processor”
• Max fine: greater of €20 million or 4% of worldwide annual turnover
3
Marsh & McLennan Agency LLC
Unforeseen Consequences of GDPR• Data subject rights
– Extensive resources required to respond to a request
– Use of requests by data subjects to bring complaints and lawsuits
– Fines associated with failure to respond to requests, late responses and non-compliant
responses
• Impact on organizations not established in the EEA– Cannot take advantage of lead supervisory authority mechanism
– Standard contractual clauses are not drafted for non-EEA countries
– Collection of data from the EEA by a non-EEA organization
• Costs of compliance
• Lack of harmonization among EEA countries in relation to guidance and
enforcement
4
Marsh & McLennan Agency LLC
GDPR – Key Changes
1. Mandatory Notifications
2. Extra-territorial Scope
3. Impact on Data Processors
5
Marsh & McLennan Agency LLC 6
Marsh & McLennan Agency LLC
CA Consumer Privacy Act (CCPA) Snapshot• Effective January 1, 2020
• Privacy
– Consumers have certain rights regarding their personal information Rights of disclosure, portability, opt-out
Businesses may not discriminate against consumers who exercise their rights
• Security– Businesses must implement “reasonable” data security
– Private right of action stems from security obligations
• Penalties– CA Attorney General may impose fines
– Private right of action for individuals
7
Marsh & McLennan Agency LLC
CCPA Penalties
• CA Attorney General
– May enforce CCPA, beginning either 6 months
after publishing regulations or July 1, 2020,
whichever is sooner
– 30-day notice and cure period
– $2,500 for each violation, $7,500 for each
intentional violation
• Private Right of Action
– Applicable only to security violations
– Up to $750 per consumer per incident or actual damages, plus other “proper”
relief
8
Marsh & McLennan Agency LLC
GDPR vs CCPA: Similarities• Extra-territorial reach
• Broad definition of personal information /
personal data
• Data subject rights of access, deletion, and portability
• Requirement to notify consumers of privacy practices prior to or at time of
data collection, including third parties with whom data is shared
• Notify consumers of changes to privacy practices
• Certain rights for children
• Time limits for fulfilling data subject requests
– GDPR: 30 days
– CCPA: 45 days
9
VS.
Marsh & McLennan Agency LLC
Only in the GDPR / Cross-Border Transfers• The GDPR imposes restrictions on the transfer of personal data outside
the European Union to third countries or international organizations
• Options for cross-border transfer of personal data under the GDPR include
the following:
o Adequacy decisions
o Appropriate safeguards
o Derogations for specific situations
• If no “adequacy” decision, “appropriate safeguards” – which are EC-
approved legal mechanisms – may be used to lawfully transfer personal
data out of the EU
o Model Clauses
o BCRs
o Privacy Shield framework
10
Marsh & McLennan Agency LLC
Only in CCPA• Right to opt-out specifically for the sale of personal information
• Establish specific communication channels for consumers
– Toll-free phone number and conspicuous link on website
• Rights applicable to “personal information” extend to information
about devices and households
• Recordkeeping on a 12-month basis (only required to provide
information once per year)
• Private right of action
11
VS.
Marsh & McLennan Agency LLC
Industry /
Operations Personal Data
Consumers in
High Risk
Jurisdictions
Retail
Higher Education
Financial Institutions
Healthcare
Technology
Direct to Consumer
Media
Goal:
Helping
MMA
clients
recognize
the risk &
their
exposures
What are the challenges as wediscuss the risk with our clients?
Marsh & McLennan Agency LLC
Getting clients to realize GDPR affects companies that are not just in the UK
Helping clients to invest in resources to make them compliant
Creating a SWAT team of key internal stake holders and outside vendors
Quantifying an insured MPL
Having clients understand the UK regulators are working with state attorney
generals in US to bring enforcement
Educating clients about CCPA
What are the challenges as wediscuss the risk with our clients?
Goal:
Empowering insureds to qualify and quantity their cyber risk using state of the art modeling tools
Marsh & McLennan Agency LLC
Tackling Compliance with GDPR
Compliance Challenges
• Legacy IT systems
– Many companies have cited outdated technology as a major factor in lack of GDPR compliance
– Companies have identified addressing existing technology as a major factor in CCPA
compliance
• GDPR is too complex, and new enforcement actions and guidance keep
coming
• Compliance is too costly
– Capgemini study found that approximately 36% of organizations have allocated at least
1 million euros to upgrades in 2019
14
Marsh & McLennan Agency LLC
(Partial?) Compliance with GDPR
15
Marsh & McLennan Agency LLC
GDPR Enforcement to Date• 281,088 cases reported by 27 supervisory authorities; approximately 63% of cases have been
closed (as of May 2019)
• 446 cross-border cases, with 205 leading to One-Stop-Shop (OSS) procedures with 19 final OSS
outcomes (as of May 2019)
• Fines imposed by 22 supervisory authorities; fines vary widely by country
• Most active supervisory authorities:* Germany, Hungary, Czech Republic, Bulgaria, Austria,
Romania and Spain
• Ireland has not issued a fine
• Top fined industries:* Finance, Professional Services, Public Sector and Healthcare
• EU courts have begun to award compensation for immaterial damages under Article 82 for
breaches of GDPR *Based on research from Mazars (September 2019)
16
Marsh & McLennan Agency LLC
Challenges
1. Changing regulatory landscape
2. Short time-frames for compliance
3. Compliance requires ongoing commitment
17
Marsh & McLennan Agency LLC
Enforcement – Areas to WatchAmounts of Fines and Focus Areas of Supervisory Authorities Differ Widely
Data Security/Personal Data Breaches
• Most frequent area fined/highest fine amounts.
• Significant Fines:
– UK: Announced intent to fine British Airways (£183.39 million) and Marriott (£99 million) for insufficient technical and
organizational measures in connection with personal data breaches.
– Bulgaria: After audit, fined National Revenue Agency €2.6 million in connection with insufficient technical and organizational
measures that led to personal data being accessible on the internet.
– Poland: Fined Polish retailer approx. €645,000 for insufficient technical and organizational measures. Retailer lacked
appropriate procedures to respond to unusual network traffic.
– Lithuania: Fined company €61,000 after audit revealed that company had, among other violations, failed to report a personal
data breach.
• Multiple other countries have issued fines for insufficient technical and organizational measures including France,
Romania, Germany and Italy.
18
Marsh & McLennan Agency LLC
Enforcement – Areas to WatchData Subject Rights• Multiple countries have issued fines in connection with controllers responses to data subject requests.
• Significant fine: Germany supervisory authority (Berlin) fined company €195,407 in connection with a series of
failures to compliantly respond to data subject requests.
Lawful Basis of Processing/Notice• Significant fines
– Greek DPA fined PwC €150,000 for violations of the processing of employee personal data. The company
processed employee personal data on the basis of consent; DPA found that performance of contract, legal
obligation and legitimate interests were more appropriate lawful bases. Fined also covered the failure of PwC to
provide proper notice of the lawful bases for processing.
– French CNIL fined Google €50 million in connection with its Android operating system, finding that the consent
obtained from the user was insufficient and the user was not provided sufficient information under Articles 13
and 14 of the GDPR.
Data Protection Officer (DPO)• Austrian DPA fined a company in the healthcare sector €50,000 in connection with its failure to appoint a DPO and
provide the required information to data subjects with respect to the DPO.
19
Marsh & McLennan Agency LLC
Beazley U.S. GDPR Claims
1. Frequently triggered by B.E.C. incidents
2. Non-prescriptive definition of “personal data”
3. Regulators requesting copies of reports
20
Marsh & McLennan Agency LLC
Insurance Coverage Available
Cyber Liability Policy can transfer some risk
• GDPR has required Cyber insurance industry to re-think what triggers the policy, how
we insured fines and penalties
• Cyber policy traditionally is triggered by a Network Security or Privacy event, challenge
for some carriers to cover regulatory actions not triggered by breach (such as audits
and other enforcement actions)
• GDPR / CCPA and enhanced “Regulatory” language is new, fluid process, not uniform
• Will continue to evolve
21
Marsh & McLennan Agency LLC
Considerations When Placing Coverage
- Engage in meaningful conversation with your MMA team
about your operations and risks
- Cyber coverage varies greatly between carriers, have a
clear risk management approach to assist you in the
Cyber purchasing decision
- Expect changes to Cyber policy every year
22
Marsh & McLennan Agency LLC
Insurance Coverage AvailableMarket constantly changing in 2017 60 standalone carriers now in 2019 over 200
Market place is constantly improving coverages offered. Regulatory, CBI, Reputational Harm,
Work Place Violence
MMA Cyber CoE reviews manuscript wording on bi-annual basis to ensure broadest coverages
available:
• GDPR endorsement
• GDPR plus endorsement
• Regulatory endorsement
23
Marsh & McLennan Agency LLC
Get Your Privacy House in Order1. Create a data inventory and map data flows, including
all data transfers:– Cross-border transfers
– Sales of data
– Sharing with vendors or third parties
– Third party processing of employee data
– Intra-company transfers (affiliates)
2. Review and update internal privacy and security polices
3. Update your online privacy policies and notices– GDPR and CCPA policies will require descriptions of categories of third parties
with whom data is shared
24
Marsh & McLennan Agency LLC
Get Your Privacy House in Order
4. Establish processes to respond to data subject rights
requests– IT considerations – how will you find the data to respond quickly?
5. Enhance vendor management processes (RFP,
contracting, audits)
6. Review recordkeeping practices and update for new
requirements
7. “Privacy By Design”
Ongoing tracking of evolving legislation
25
Marsh & McLennan Agency LLC
Takeaways
• Understand exposure to non-U.S. regulations
• Key developments forthcoming (EDPB guidance)
26
Marsh & McLennan Agency LLC
Takeaways
MMA
• A well crafted Cyber Liability policy is our best risk
transfer tool
• Negotiating responsive and expansive coverage is an
ongoing process
27
Marsh & McLennan Agency LLC
TakeawaysMMA
• The market place is constantly evolving to address new exposures
• Work with a cyber risk specialist who is able to identity your
exposure, has the tools to quantify and can articulate the coverage
enhancements to the C-Suite
• The regulatory environment around cyber risk has picked up
significantly over the past 24 months and we expect that trend to
continue
• Be on the look out for regulatory updates from MMA
28
Marsh & McLennan Agency LLC
Questions for the Panel?
29
MarshMMA.com
This document is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Marsh & McLennan Agency, LLC shall have no obligation to update this publication and shall have no liability to
you or any other party arising out of this publication or any matter contained herein. Any statements concerning actuarial, tax, accounting or legal matters are based solely on our experience as consultants and are not to be relied upon as
actuarial, accounting, tax or legal advice, for which you should consult your own professional advisors. Any modeling analytics or projections are subject to inherent uncertainty and the analysis could be materially affective if any underlying
assumptions, conditions, information or factors are inaccurate or incomplete or should change. Copyright © 2019 Marsh & McLennan Insurance Agency LLC. All rights reserved.