With news of massive data breaches making headlines in recent years, the processing of personal data has become a priority for lawmakers and regulators around the world. Compliance with data privacy regulations such as the European Union’s General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA) promises to be one of the major challenges for companies in the future, as violations of these regulations present the risk of substantial fines or penalties.
In order to manage this potential liability, companies have turned to cyber insurance. However, even when cyber insurance policies expressly state that they cover fines and penalties, whether or not they do so depends on whether the fines and penalties are “insurable” under the law that governs that coverage. Some jurisdictions prohibit insurance against public order fines and penalties, and if the law of such jurisdiction is deemed to apply, then even a policy which expressly promises to provide cover may not protect the assured.
Determining the law of the jurisdiction that governs the coverage of an insurance policy is usually made by applying the policy’s choice of law clause if it has one, or if not, by applying the choice analysis of the law of the court of the forum. The choice of law analysis itself varies from jurisdiction to jurisdiction, with some jurisdictions focusing on where the contract was formed and others looking at other factors such as which state has the contacts. the most important with the contract, which State has the greatest interest in having its law applied or the location of the insured risk. This creates a level of uncertainty for policyholders, as it means that even the same policy may cover fines and penalties in some circumstances and not in others.
Cyber policies have taken different approaches to addressing this insurability issue in their policy language, and some are more favorable to policyholders than others. For example, some insurers have issued policies that state that fines covered by privacy regulations include “civil fines, sanctions or penalties insurable under applicable law.” (emphasis added). Contrary to this wording, other insurers have incorporated more flexible wording of choice of law. For example, insurers have issued policies stating that “The insurability of Penalties will conform to the law of the applicable place that most favors coverage for such Penalties.” (emphasis in bold in original, underlining added). While either provision may lead to coverage depending on the circumstances of the particular claim, the latest policy wording could increase the likelihood that a policyholder may be relying on the law of a particularly favorable jurisdiction to obtain coverage.
As insurance options continue to evolve to meet an increasingly complex data privacy framework, companies looking to manage their risks through cyber insurance should carefully consider all security provisions. choice of law and consult an insurance lawyer.