Page 16 - Feb2019_BarJournal
P. 16

BarJournal                   INSuRANCE LAW


                                     JULY/AUGUST  2015
      fEaTUrE                 Insurance coverage for





                    regulatory Penalties resulting



                                  from a Data Breach




                                                                                           BY GABRIELLE KELLY




            n November, Marriott alerted guests that its   breaches, new consumer privacy laws have been   effect  in  May  2018.  Under  the  GDPR,
            reservation system had been compromised   enacted to address the security of consumer   organizations that hold or process
            and thieves had potentially stolen personal   information. The number of companies that   personal data (ex. name, address, medical
            information on 500 million guests. The   are now subject to regulation has enhanced and   information, social networking posts, or
        Icompany vowed to quickly investigate and   reshaped businesses’ potential exposure. The   any other information directly associated
        resolve the matter, and offered credit monitoring   application of these new regulations are not   with an identifiable living person) must
        services to guests. While the breach was a first   limited to companies within their jurisdiction;   clearly disclose any  data collection, state
        for Marriott, consumers are quite familiar with   in fact, the laws are much more far-reaching   how long the data is being retained and
        receiving a notice that their Personal Identifying   in that they target all organizations that   if it is being shared with any third parties.
        Information (“PII”) may have been stolen.   handle or process PII of data subjects within   Data subjects then have the right to request
        Unfortunately, data breaches have become so   the jurisdiction. This higher level of security   a copy of the data, and under certain
        common that various states and countries have   compliance  that  has  been  adopted  by  the   circumstances, the right to demand that
        implemented regulatory measures to protect   European Union is suspected to be the model   the organization delete their data. Further,
        citizens. Companies are, in turn, looking to their   for other jurisdiction’s laws and could become   companies must report any data breaches
        insurance policies to cover any regulatory fines   the benchmark.      to regulators within 72 hours if the breach
        or penalties in addition to the routine expenses                       may have an adverse effect on user privacy.
        of handling a data breach.          European Union                       If an organization is found to have
                                            The most widely discussed response by   violated the GDPR, the organization may
        rEgUlaTorS’  rESPonSE To  DaTa      regulators is the General Data Protection   be liable for fines of up to €20 million or 4%
        BrEacHES                            Regulation (GDPR),  which  was enacted   of a company’s annual worldwide revenue,
        In response to the pervasive  number of  data   by the European Union and went into   whichever is higher. The focus on the data


































      16 |  Cleveland Metropolitan Bar Journal                                                    clemetrobar.org
   11   12   13   14   15   16   17   18   19   20   21