Can GDPR Fines be covered under Cyber Insurance in India?

Can GDPR Fines be covered under Cyber Insurance coverage in India?

By Prashant Mali, 
Cyber Law & Privacy Expert.

Cyber policies usually grant cover for civil fines provided that these fines are “insurable at law”.

Where insurance for fines and penalties is available, this is usually as part of an operator’s general liability policy, although, as set out above, there is no general rule and some such policies routinely exclude such cover). In addition, prudent directors of port and terminal operators who are faced with the possibility of personal exposure to civil fines will take steps to ensure that their D&O policy will cover them if they are investigated personally. 

Example Policy Terms

Insurance coverage is available for fines and penalties. A popular form of cyber insurance includes, as an item of covered loss:

[C]ivil fines or penalties imposed by a governmental agency and arising from a Regulatory Action, unless the civil fine or penalty imposed is uninsurable under the law of the jurisdiction imposing such fine or penalty.

Another popular policy form provides coverage for "Penalties," defined as:

[A]ny civil fine or money penalty payable to a governmental entity that was imposed in a Regulatory Proceeding by the Federal Trade Commission, Federal Communications Commission, or any other federal, state, local or foreign governmental entity, in such entity's regulatory or official capacity; the insurability of Penalties shall be in accordance with the law in the applicable venue that most favors coverage for such Penalties.

Based on these definitions (which are typical), several features are prominent:

• The fines or penalties must be "imposed by" a governmental agency.
• The fines or penalties must be insurable under the applicable law.
• The fines or penalties must be paid to a governmental entity or to a consumer redress fund.

While it is not an inbuilt coverage, fines and penalties can be covered under a D&O policy by suitably modifying the definition of loss or in other appropriate manner. Reproduced below is one of the definitions as found in the policy wording.

“Loss also includes civil and administrative fines and penalties, awarded against Insured Persons, to the extent such are insurable by law, and the multiplied portion of multiple damages”

There is no express law in India including Companies Act, 2013 which declares any fine and penalty as uninsurable.

Sec 197 of Companies Act, 2013, reproduced below for brevity

Section 197(13) of Companies Act, 2013:

“(13) Where any insurance is taken by a company on behalf of its managing director, whole-time director, manager, Chief Executive Officer, Chief Financial Officer or Company Secretary for indemnifying any of them against any liability in respect of any negligence, default, misfeasance, breach of duty or breach of trust for which they may be guilty in relation to the company, the premium paid on such insurance shall not be treated as part of the remuneration payable to any such personnel:

Provided that if such person is proved to be guilty, the premium paid on such insurance shall be treated as part of the remuneration.”

Surprising as it seems, there appears to be no section in the Companies Act 2013 which prohibits indemnification of any nature .

It needs to be clearly understood that as in the case of other payments, prior approval of insurance company is a prerequisite for claiming this loss. One of the policy wordings is reproduced below. Provision relating to non-admission of liability is present in all policy forms, while the language may vary from insurer to insurer.

“The Insured shall not admit or assume any liability, enter into any settlement agreement, or consent to any judgment without the prior written consent (which shall not be unreasonably delayed or withheld) of the Insurer. Only liabilities, settlements and judgments resulting from claims defended in accordance with this policy shall be recoverable as a loss under this policy”

It is good for the directors to seek, in their letter of appointment, appropriate and adequate indemnity provisions – indemnity against all losses and expenses incurred by them in relation to the discharge of their duties unless such loss/ expense is caused by their own deliberate and malicious actions. It pays to be explicit and have more inclusive provisions.

Insurability

A looming question in the case of insurance for fines and penalties is whether such items can be insured despite policy language expressly providing for such coverage. As with the insurability of punitive damages, there is no uniform view. However, one can make several general observations:

1. Fines or penalties that are based on intentional or willful conduct are likely to be challenged by the insurer based upon public policy arguments.
2. Fines or penalties that are "punitive" in nature are more likely to be challenged by the insurer than those that are "compensatory" in nature.
3. Penalties that are assessed vicariously against a policyholder (such as when a corporation is held liable for an unauthorized act of its employee) are less likely to be challenged.

Case law exists under a variety of statutes, and in a variety of state and federal jurisdictions, that assesses whether particular fines or penalties are punitive or compensatory, or are insurable. Cyber policies address insurability through choice of law and choice of venue. As can be seen from the example language quoted above, there are two basic approaches:

1. One version permits coverage except to the extent that the law of the jurisdiction imposing the penalty forbids such coverage;
2. The other version permits coverage so long as the most favorable applicable venue permits such coverage.

Under conventional choice of law procedures, an "applicable venue" is likely to be one that has some sort of relationship to the parties or to the underlying facts. A standard provision for punitive damages directs that the applicable law is

"the law of the jurisdiction most favorable to the insurability of such [punitive] damages, provided such jurisdiction has a substantial relationship to the relevant Insured, to the Company, or to the Claim giving rise to the damages."

This type of formulation appears to provide more flexibility for coverage of such penalties than one in which the penalty-imposing jurisdiction is selected.

International variation

Internationally the position is likely to be similar, albeit with some noteworthy differences, in other jurisdictions. For example, it is common in Australia for cover to be provided in respect of civil fines and some insurers have extended liability insurance to include criminal fines imposed in circumstances other than where the insured has behaved in a reckless manner (or worse). Whether or not such policies are legally enforceable remains a hotly contested issue, but despite the difference in approach from the English position, the underlying public policy issues are the same.

In the US, a number of products are available which provide cover in respect of investigations under the Foreign Corrupt Practices Act, although in keeping with the policy considerations described throughout this article, cover is limited to the costs of such an investigation and coverage for any fines or penalties is specifically excluded.

In UK the leading case law under on whether regulatory fines are “insurable at law” is decision of the Court of Appeal in Safeway Stores Ltd v Twigger [2010] EWCA Civ 1472. In this case, pursuant the Competition Act 1998, the Office of Fair Trading issued a regulatory fine against Safeway.  As a result, Safeway sued its own directors in order to claim under their D&O policy.

The First Instance Judge, Flaux J, noted that:

“…the real target of the present claim is not the assets of the individual defendants, many of whom are of modest means, but the directors’ and officers’ liability insurance available to the defendants…”

Flaux J, after reviewing the previous authorities, held that the “illegality defence” applied to the regulatory fine relating to the breach of the Competition Act 1998.  The breach was held to be sufficiently serious and “morally reprehensible”, even where it had been committed without intention.

Although potential exposure to fines and penalties is an important risk management consideration for port and terminal operators, it appears that the extent to which insurance for liabilities of this nature can be obtained is limited, at least in England and Wales. It is clear that as a matter of English law, criminal fines and penalties cannot be insured for public policy reasons and, although there is no law in this area, similar considerations are likely to apply in the case of civil fines, so that these will only be insurable where the conduct in respect of which they are incurred does not involve deliberate wrongdoing.

The ex turpi causa maxim means that even where such cover can be obtained, an insured will be precluded from making a claim if the conduct to which the fine or penalty attaches involved intentional or negligent conduct.

Conclusions

Legally: While many insurance policies provide cover so far as insurable by law the reality is that GDPR fines themselves will likely not fall for cover. There may be cover for the costs associated with complying with, defending or appealing investigations from the ICO. And insurers may, of course, elect to pay out an amount in respect of the fine (potentially leading to issues in respect of reinsurance recovery). Note, also, that Bermuda legislation does not prohibit passing on liability for fines and may therefore provide some excess options worth considering.

Commercially: Regardless of any debates around the legal position in coverage of fines, the commercial reality is that the value of cyber cover comes in the knowledge and expertise that can be provided by the insurer, particularly in terms of responding to a data security breach. Cyber policies will generally cover systems failure, data restoration, as well as third party claims for damages for lost data or breaches of security and privacy and may also cover amounts paid in response to cyber extortion. Crucially, they will usually also provide access to necessary and pre-approved vendors and a package of cover that includes: 

• pre-breach offerings; 
• disaster recovery costs; 
• communication and notification costs; 
• paying for forensic investigations to determine the cause of the breach; 
• legal advice; 
• engaging experts to manage public relations and protect the company's reputation; 
• lost income and payroll as a result of a breach; and 
• credit monitoring for customers.

Of course, insurance can be no substitute for robust data protection policies - and the potential to be on the wrong end of a GDPR penalty makes it all the more important for companies to invest in such policies and procedures. However, in today's climate of increased cybercrime, it is vital for businesses to arrange cyber-cover and to partner with insurers in order to assess its exposures and be in a position to respond swiftly and effectively as and when a security breach occurs. Just don't have an unrealistic expectation that it will provide indemnification in respect of any GDPR fines.