Peter Adediran is the founder of PAIL Solicitors, a law firm that specialises in representing tech vendors and licensors; assisting entrepreneurs; and guiding digital start-ups to take their idea through to execution. Subscribe to his free blog on technology, IP and Internet law.
1. Cyber and data liability insurance cover is not mandatory by law. Do I need it?
It is a good idea to get cyber and data liability cover both from the perspective of (a) best internal risk management; and (b) business development.
(a) From the risk management perspective, you are mitigating the reputational and financial risks of a regulatory investigation and fine; and/or damages from a law suit as well as substantial costs of legal representation. You should get cover if you:
– Operate an e-commerce website.
– Hold personal customer details such as names, addresses and payment information.
– Process payment.
– Send sensitive information through email; store data in the cloud.
– Use devices such as laptops, smartphones to store personal customer information.
(b) From the business development perspective, you might find that some organisations will require you to have cyber and data liability cover before entering a license, purchase or joint venture agreement, particularly if you are tech vendor. For example, if you are licensing a technology product such as a mobile app to a reputable organisation, they will almost as standard practice demand that you have a minimal level of cyber and data liability cover before they will execute any agreement with you.
The risks of a regulatory investigation and/or lawsuits are significant. According to a report by the BBC dated the 19 December 2016 figures from CFC Underwriting suggest that they handled more than 400 cyber-breach claims in 2016 which works out to a rate of one a day. Given that CFC Underwriting is only one such insurer in a pool of dozens it is safe to postulate that the aggregate number of claims handled in one day by UK insurers is far higher.
An older report by the Association of British Insurers updated on the 01 June 2016 stated that 60% of small businesses suffered a cyber breach. The average cost to SMEs ranged between £65k-115k. Although these statistics relate to 2014, judging by the number of claims being handled in 2016 the breaches could only have worsened.
2. You should know where to find the current data protection laws.
The current English data protection law is the Data Protection Act 1998.
The important thing to remember is that there are 8 rules in using personal data forming the core guiding principles. There is a new EU data protection regulation coming into force in May 2018 but its application to English law is uncertain given that England is almost certainly leaving the EU albeit that the precise date of exit has yet to be determined.
3. You should know that Umbrella Liability Cover does not necessarily include Cyber and data liability cover.
You should check with your insurer to determine what is included in your Umbrella Liability Cover. I cannot count the number of times a tech vendor has assumed that Umbrella Liability Cover includes data cover only to be advised by the insurer that it doesn’t after the final draft agreement has gone to the purchaser for execution.
4. In complying with data protection obligations you should be thinking on the following:
Do you need to comply? Does your organisation hold personal information? What constitutes personal information? What constitutes a breach of your obligations? What are your obligations to give notice if there has been a data breach? What are the exemptions afforded by the Act? Are you transferring personal data outside the EEA?
5. Finally here are some tips for dealing with both risk management and business development relating to cyber and data liability.
– You should ensure that sensitive data is encrypted.
– Ensure that data transfers are compliant.
– Ensure continuing education and training for data related staff.
– As for business development, before entering an agreement with any business where you are allowing access to data you should ensure that:
– There are warranties or protections in place in the event of their negligence.
– Ensure that they have appropriate cyber liability cover usually a minimum of $10 million although it can be more or less than that figure.
– Never sign a contract that does not hold the other party accountable for its own negligence.
– Understand the technological structure of your business. Are you a data controller or data processor? Are you transferring data outside the EEA?
– You need to assess whether the other party can meet the technical requirements of the project. Do they have the resources to properly train their staff on cyber and data protection?
– Can this tech vendor meet all your technical requirements? Can this tech vendor integrate its services seamlessly with your existing internal IT functions?
– What is the reputation of the contracting party with its partners; licensees; and licencors?
– What is the dispute resolution process?
– What is the payment process including timing? How is payment affected by cyber and data breach?
I suspect that most smaller businesses do not bother with cyber and data liability cover if they are not tech vendors or similar. No real surprise there. But as more people become aware of their rights with respect to personal data and hacking becomes more widespread the need to plan for an unexpected cyber and data breach grows in importance. And even if you do not agree with that argument, you must admit that it makes sense to consider your exposure to cyber and data risk as part of a comprehensive business plan
To book a face to face consultation for commercial legal advice relating to privacy and data protection issues in technology agreements and on digital projects you should contact a specialist digital media lawyer (charge rates may apply and may vary).