“Ew…EU Eliminates Safe Harbor for US Companies”

In the European Union, data privacy is a fundamental right.  Think life, liberty and the sanctity of your Gmail inbox.  The EU’s data privacy laws are therefore more stringent than similar laws in the United States.  From 1995, when the EU’s laws came into effect, until 2000, this was a big problem for US companies doing business internationally.  Compliance with stricter data privacy laws is expensive, logistically difficult, and – well – really, really expensive.

On July 26, 2000, everything changed.  The European Commission adopted the “Safe Harbor Adequacy Decision.”  This allowed US companies to opt-in a self-certify that they complied with a stipulated set of US/EU data privacy standards.

On October 6, 2015, everything changed.  Again.

The Court of Justice of the European Union (CJEU), in the matter of Maximillian Schrems v. Data Protection Commissioner, invalidated the Safe Harbor Adequacy Decision.  Max, a Facebook user since 2008, had initiated the case before the Irish Data Protection Commissioner (yeah, they have that).  He complained that Facebook sent his information from servers in Ireland to servers in the US for storage, and that based on Edward Snowden’s accounts of the NSA’s access to private data, his data had no real protection against surveillance by the United States.  Basically, safe harbor, shmafe harbor.

The Commish upheld the validity of safe harbor.  Max appealed to the Irish High Court, which stayed the case and referred the question of the validity of safe harbor to the CJEU.  The CJEU said safe harbor, shmafe harbor, stating that “[t]he United States intelligence services’ access to the data transferred seems to extend to the content of the electronic communications, which would compromise the essence of the fundamental right to respect for privacy [and could] compromise the essence of the fundamental right to protection of personal data.”  Translation, NSA not okay.

US companies are scrambling to figure out EU data privacy compliance plans.  Legislators are looking for legislative solutions.  It’s kind of a big deal.

But this blog is about insurance, isn’t it?  Yes, it is.

The insurance implications of the Schrems decision are also a big deal.  When the ‘data privacy and cyberliability’ insurance policies now in place were issued, safe harbor was totally a thing.  Many of those policies include coverage for regulatory investigations and resultant penalties.  When safe harbor was a valid way to comply with EU data privacy laws, US companies’ exposure to EU regulatory enforcement was relatively well-understood and quantifiable.   With safe harbor going the way of the flip-phone, a key data point in risk profile assessment has essentially become a complete unknown.  Complete unknowns and insurance underwriters are not friends.  In fact, rumors are that they have not spoken since asbestos became a thing.

It remains to be seen how quickly and aggressively EU authorities target US companies for regulatory enforcement.  US companies have recently seen a dramatic increase in enforcement action from state attorneys general and the FCC.  It is not unreasonable to expect the same type increased activity from EU authorities.  More investigations.  More penalties.  Wait for it…More claims.

The cyberinsurance market is still relatively young.  Carriers have struggled to price premiums in the absence of sufficient actuarial data and extensive loss histories, and these problems are exacerbated by the rapidly changing nature of the risk itself.  Schrems is only one example of how quickly and dramatically the cyberliability landscape is changing.  It should by now be taken for granted that US companies, and indeed all companies, need to approach initial policy retention with great care.   The policy review and purchase process should be the result of a team effort, including IT, legal and business consultants and decision-makers who have discussed in detail the types of data that they control, data security measures in place and to be put in place and potential exposure points of exposure.

The same careful approach must be taken during the annual renewal process.  Companies cannot simply renew data privacy and cyberliability policies in the same manner that they renew CGL or D&O policies.  The risk and the rules are changing too rapidly.  Every year, companies should get the gang back together to review policy language and to discuss legal, business and technological developments that impact coverage.  Coffee should be served.  And donuts.