Jenny Soubra, US head of cyber for Allianz Global Corporate & Specialty, talked with TechRepublic’s Dan Patterson about how cyber insurance comes into play when privacy regulations like GDPR are enacted. Here’s their conversation:
Patterson: When we have a regulation like the GDPR or the right to be forgotten introduced into the global marketplace, how can companies respond to those types of regulations to make sure not just that they are compliant with the regulation, but that they have the proper insurance in case something happens post-regulation?
Soubra: There has been a run-for-the-bulls, we could call it, to get compliant with the GDPR requirements and that goes around the data storage, what data you’re harvesting, what you’re using it for and then as you mentioned, the right to be forgotten, which basically is, an individual can go to a company and say, “I would like the right to be forgotten,” and that company would have to find all of the different places that this individual’s personal information might lie, all of the different platforms, all the different areas where this information may have been used, and to be able to remove that from the system. Now, when you multiply that by the number of people that may be requesting this in all of Europe, the number is staggering and it can be a very daunting task. Companies are trying to figure out how they can do that.
SEE: GDPR compliance tips and tools for business leaders (TechRepublic)
What we also know is that for violations of GDPR, an organization can be fined up to 4% of its global revenue. So, for a multi-billion dollar organization, that number can be very significant. Companies are racing to become compliant. At this point, we’re about 60 days out from the implementation of GDPR. It remains to be seen what is going to happen. I think it will be one of two conversations. “Where are the fines?” or “Wow, those are a lot of fines.” We don’t know what’s going to happen yet. A lot of it is going to come down to the bandwidth that the actual regulatory bodies have to actually go after companies and how hard are they going to go after them in the beginning and what’s going to happen when they do have violations?
So, in the US, we’ve seen record fines being handed out by the (Office for Civil Rights). In many cases, it’s because we have repeat offenders who haven’t taken the breaches seriously, that are not taking corrective actions to fix whatever issues that they had. Usually, if an organization has some sort of a privacy incident, they’ve taken it seriously, they’ve dealt with it properly, they’ve taken action to correct whatever issues. That makes regulators happy. It’s when people don’t do that, or organizations don’t do that and it’s this kind of flippant response that the fines get bigger and bigger for those repeat offenders.