April 03, 2018
You are about to leave Risk Strategies website and view the content of an external website.
You are leaving risk-strategies.com
By accessing this link, you will be leaving Risk Strategies website and entering a website hosted by another party. Please be advised that you will no longer be subject to, or under the protection of, the privacy and security policies of Risk Strategies website. We encourage you to read and evaluate the privacy and security policies of the site you are entering, which may be different than those of Risk Strategies.
Since I first put pen to paper on this blog just last week, three more major hacks have hit the headlines – The Hudson’s Bay Company, Orbitz and Under Armour Already in 2018, we have seen several high-profile security breaches. Bad news for sure, though the good news is that change is in the works. Beginning in May, the European Union’s General Data Protection Regulation (GDPR) will officially go into effect.
GDPR will require businesses to protect the personal data and privacy of citizens in the EU for transactions that occur within EU member states. For example, companies will need the same level of protection for an individual’s IP address as they do for name, address and Social Security number.
At a high-level, the implementation of GDPR means that any U.S.-based business collecting data on citizens in the EU will be held to these higher standards of security and are vulnerable to new, costly sanctions for non-compliance. As such, it is imperative to ensure that insurance policies are structured appropriately to provide coverage for legal fees, fines and penalties.
Any businesses that will be affected by the changes should get in touch with their broker as soon as possible to tackle any policy nuances GDPR may bring. For instance, as it stands today, some carriers only provide coverage for regulatory inquiries when a business has had a data security incident. Under GDPR, regulators are likely to conduct proactive investigations – before a breach happens. If they were to find any deficiencies or areas of non-compliance in the system, you’d potentially be left exposed for those costs.
An important consideration right now for any small, medium or large business – regardless of whether it needs to comply with GDPR – is employee training. Time and time again the biggest vulnerability are people, not the technology. Work with your risk manager to put together drills and an incident response plan. Neither you nor your bottom line will be sorry.
To get your business prepared for GDPR, reach out today: cyber@risk-strategies.com.
The contents of this article are for general informational purposes only and Risk Strategies Company makes no representation or warranty of any kind, express or implied, regarding the accuracy or completeness of any information contained herein. Any recommendations contained herein are intended to provide insight based on currently available information for consideration and should be vetted against applicable legal and business needs before application to a specific client.