It takes little effort to identify the international behemoth that was recently scrutinized for disclosing its users’ personal data (*cough* Facebook *cough*). As of today, many business, big and small, have the potential to be vilified and fined for the same type of inadvertent disclosures. The key distinction between Facebook and other companies are their resources to deal with the fall out such a disclosure.

Leading up to today, you likely received emails from various vendors advising you of their new privacy policy and asking to update your contact information. This is because on May 25, 2018, the European General Data Protection Regulation (GDPR) comes into effect. This regulation will be very favourable to consumers, but may prove to be an expensive logistical nightmare for many businesses.

What does it do?

The GDPR was developed in 2016 and intended to take effect this year. The Regulation aims to protect people’s information when it is shared with businesses. It also allows people to permit or deny the distribution of personal data with third parties. The Regulation places certain disclosure requirements on entities to inform their users of a potential breach.

Although this is a European regulation, it affects businesses that operate out of a European signatory state marketing to a foreign country (i.e. Canada), or a foreign business marketing to and operating within a European signatory state. In essence, any company that seeks to advertise to an international population, which by using the Internet most companies do, they must comply with the requirements set out in the GDPR.

Failure to comply

The failure to comply with the GDPR can lead to severe consequences. One of them is a fine of up to €20 million. The GDPR also allows signatory states to implement their own regulations to ensure compliance. Another significant repercussion is the potential of lawsuits stemming from a data breach. The GDPR establishes a standard of care that business must meet. Failure to satisfy this standard, will expose business to not only fines but financially devastating legal actions.

Cyber Insurance

The “big” insurance companies like Chubb, Lloyds, and Northbridge are beginning to offer comprehensive cyber insurance policies to businesses. Other new companies such as Boxx Insurance have started to exclusively offer cyber insurance policies to small and medium sized businesses.

Cyber insurance policies are designed to protect businesses when a data breach occurs, and may include coverage for fines, legal services, and PR services.

Adjusters’ Considerations

Insurance adjusters’ will soon be confronted with a significant number of claims originating from cyber policies. Adjusters must be ready to not only ensure that their clients are protected but that the insurer is not being defrauded.

Adjusters will have to undergo technical training to verify that their clients are compliant with not only the GDPR but also with the requirements of their insurance policy. It will also be imperative that adjusters identify technical “red flags” that may signal a fraudulent claim.

Striking this balance will be difficult but necessary.


Companies like Facebook can rebound from a data breach given their vast pool of resources, however, small business can go bankrupt from a single cyber-attack. As a result of this dichotomy, cyber insurance policies will continue to develop and may soon be as common as an auto insurance policy. Insurance companies and their adjusters must be prepared to understand and “speak the language” of their consumers to meet their needs and expectations.

For more on the GDRP, see Data protection in the EU 


  • Stas Bodrov

    Once the target of an unsuccessful phishing scam, Stas is a key part of SBA’s cyber liability and privacy group providing services ranging from assessments and prevention to crisis response.