The shockwaves continue from the October 6, 2015 ruling of the Court of Justice of the European Union (CJEU), the European Union’s highest court, invalidating the U.S.-EU “Safe Harbor” data transfer regime in a controversy arising out of Maximillian Schrems’ complaint to the Irish Data Protection Commissioner. The Schrems decision obviously has huge privacy implications for companies that transferred data under the Safe Harbor regime, but it may also impact such companies’ cyber insurance.
The Safe Harbor program has been in place since 2000 and was meant to bridge the gap between the regulatory requirements for handling of personal data in the EU and U.S. The Safe Harbor created a self-certification mechanism by which companies in the U.S. could opt into a set of rules governing the handling of EU personal information in order to meet EU privacy law requirements. If a company opted in, it was then able to receive data transfers from the EU to the U.S. without further approval.
The Schrems ruling, explained in detail here by our privacy team, found that the Safe Harbor protections afforded were in fact not adequate. The CJEU noted that the protections required to meet Safe Harbor obligations could actually be disregarded for a number of reasons, including at the request of certain government entities or where preempted by U.S. law. The CJEU held that a company’s decision to opt into the Safe Harbor therefore does not necessarily protect the personal data of EU citizens and it would no longer consider such Safe Harbor participation by a U.S. company sufficient to meet the requirements of EU privacy laws.
Although the sharing of information between the EU and U.S. will not be immediately halted – the ruling allows an EU nation’s supervisory authorities to evaluate the treatment of data in a particular case – if no resolution is reached by January, there is a possibility (discussed here) that at least some EU nations will follow the CJEU’s lead and commence regulatory investigations and proceedings to evaluate specific data transfers to U.S. companies. For companies that once relied on the Safe Harbor program, there may be implications for their purchase or renewal of cyber insurance.
As any company that has cyber insurance knows, the application process involves, at a minimum, answering a series of questions to help the insurer better understand a potential insured’s data exposures and its information security governance practices. Up until this point, we are unaware of any significant inquiry concerning a company’s data transfers from the EU to the U.S. In light of the recent ruling, however, this might change.
Going forward, potential policyholders may expect to see questions intended to evaluate the risk associated with their data transmissions across jurisdictions. If those transmissions are not in compliance with the appropriate regulatory schemes, it could give rise to investigations and even fines and penalties. Since most cyber insurance policies offer coverage for responding to and defending against regulatory investigations and proceedings, and any resulting fines and penalties, insurers are likely to take the risk of an EU data protection authority investigation into a company’s compliance with EU privacy laws very seriously.
Companies responding to questions on insurance applications regarding their data transfer practices likely fall into three groups:
First, there will be companies that do not transmit protected data between the U.S. and EU. Those risk profiles will be unchanged and unaffected by the decision.
Second are those companies that can certify to having already taken, or being on the verge of taking, additional steps beyond the Safe Harbor requirements. This can include using EU Model Clause Contracts (a set of EU approved clauses for data transfers) or intra-group agreements or binding corporate rules (a set of corporate rules which are approved by EU data protection authorities). These companies – whose ranks are expected to grow in the wake of the ruling – should also expect no change in their cyber insurance coverage.
Third are those companies that were in compliance with the Safe Harbor requirements but have not yet taken additional steps to protect the transfer of information from the EU to the U.S. These companies may run the risk of losing some or all of their cyber insurance protection in connection with such activities including, for example, an exclusion of regulatory coverage in connection with data transfers. (This is similar to the way insurers exclude Payment Card Industry (PCI) coverage for companies that are not PCI compliant.) Companies in this category – for reasons that go beyond insurance – should be thinking now about what steps they can take to address their potential exposure.
Insurance may not be the primary impact of the CJEU decision, but it is one that companies should not ignore.