Opinion: Cyber-crime was on the menu at RIMS 2018 in Texas, but surprisingly few people were talking about GDPR, writes David Benyon

Gdpr countdown

This week StrategicRISK joined more than 10,000 attendees from 70 countries at the RIMS 2018 “Go Big” annual conference and exhibition in San Antonio, Texas.

Walking the exhibition stands, attending event sessions, and speaking to a selection of risk managers, insurance buyers, brokers and underwriters, it was illuminating to hear the risks, themes and trends foremost on their minds.

The event was much more than a national gathering of risk managers and insurance buyers. The global reach of the Risk and Insurance Management Society (RIMS) is evident from events planned for China, India, Singapore, Latin America and Canada.

However, most delegates were still drawn from within the US, with Europeans a small minority. That said, most firms represented will have sold to European customers, even if they do not have offices or subsidiaries within Europe. Such is the globalised online world we live in.

Some of the hot topics at RIMS 2018 were identical to those heard at recent European risk management events. Cyber threats, supply chain risks, resilience against business interruption, extreme weather perils, reputational and brand crises, regulatory concerns, fears about terrorism and political risk events, and working towards better diversity and inclusion – these are all familiar themes.

GDPR risk

Europe’s General Data Protection Regulation (GDPR) was on the agenda in Texas. FERMA’s chief executive spoke at one session on the topic of corporate governance and cyber security. Another session simultaneously addressed how to avoid the “global privacy landslide” – as in the case of Facebook’s CEO, Mark Zuckerberg, recently summoned to testify before Congress in DC.

However, when in the one-to-one meetings and interviews that journalists inevitably spend much of their time doing at events like RIMS, there was relatively little bite on the topic of GDPR. Few US clients were asking about it, insurance firms said. This was, to me, surprising, and it may also be deeply worrying, as the law is now a little over a month away from enforcement on 25 May 2018.

Of course, the US has its own data protection and cyber risk regulatory environment. It’s had it for years. As the most litigious market on Planet Earth – from workers’ compensation to directors’ and officers’ insurance coverage – firms are well wary about liability risk. Class actions are rife. Cyber liability insurance, and particularly breach response covers, grew up here.

The number of data breaches in the US increased from 157m in 2005 to 781m in 2015, while the number of exposed records jumped from around 67m to 169m in the same period. In 2016, the number of US data breaches amounted to nearly 1.1bn, with close to 36.6m records exposed.

At the federal and state levels, as well as industry standards, the regulatory environment is mature and ironclad. California and New York – home to Silicon Valley and global financial institutions, respectively – have been prominent.

In 2003, California blazed a trail by passing the Notice of Security Breach Act, the first of its kind in the US, which requires that any company that maintains personal information of California citizens and has a security breach, must disclose the details of the event.

The New York Cyber Security regulation has been effective since 1 March 2017, with regulated companies having to file detailed annual certification for compliance to the state regulator since 15 February this year.

At federal level, US cyber regulation clamped down with several major acts of legislation in the 1990s and again after 9/11. The Obama years also saw a raft of further federal rules passed in 2014-2015, including the Cybersecurity Information Sharing Act, the Cybersecurity Enhancement Act, National Cybersecurity Protection Advancement Act, and the Federal Exchange Data Breach Notification Act.

The latter law focuses on the health insurance sector – a favourite target of online fraudsters. The law requires health exchanges to notify everyone whose personal data is known to have been hacked, no more than 60 days after discovery of a breach. But none of the US rules apply as broadly or include penalties as punitive as GDPR.

GDPR introduces a duty on all organisations that are doing business with European customers to report a data breach to the relevant authority, such as Information Commissioner’s Office for UK consumers, within three days of becoming aware of the breach.

Furthermore, the “right to erasure” or “right to be forgotten”, depending where you read it, means if a customer asks to have their data deleted by an organisation, they have a month to do this, or they are breaking the GDPR law.

Hacked off

Consider the implications of these changes with this example. A European customer buys a pair of sneakers from the website of a US retailer and gets them delivered to their address in, let’s say, Dublin. Shopping online does not respect borders, the shoes are nice, and the retailer wants this guy’s dosh.

Retailers commonly ask whether online customers want to create an account login, to make return purchases quicker. The customer does this. He creates an account with an email address and password.

Then when going to pay, he clicks “remember payment details” and “remember address”, thinking he might return later to buy a second pair of shoes he likes nearly as much. The US retailer duly stores the Irishman’s personal data.

A week later, and the shoes arrive. They’re lovely. Two weeks later, the consumer gets a news alert on the screen of his smart phone. The US retailer has suffered a terrible cyber-attack, and the data stored has been breached.

Worse, the breach happened one month ago, and the retailer’s CEO admits the firm knew about the attack at least a fortnight ago – the day the Irishman bought his shoes. But the company did not initially report the breach, and the data have been up for sale on the dark web for weeks already.

The customer gets angry. He tries calling the retailer, to ask them to delete his data. It may be too late, but he’s angry anyway. But it’s out of working hours, and he gets an automated message from the firm’s customer services team. He sends an email instead. They don’t reply. He sends several more emails, but it takes the firm five weeks to confirm his data have been deleted from their records.

What is at stake for the retailer in this hypothetical scenario? Well, as much as 4% of annual revenues for firms that do not comply – notifying authorities, telling customers, and failing to do things like delete data on request. That could mean a regulatory penalty of billions of dollars for a large retailer that fails to promptly notify its European online customers that their details got hacked.

Not-for-profit bodies are also allowed to bring what looks like the equivalent of class actions under the GDPR umbrella, potentially representing thousands of angry European consumers who got their data hacked and demand compensation.

If the above example is naïve, please tell me so. Because I’m still not convinced that organisations outside Europe, and particularly those with online businesses selling worldwide (which means pretty much everyone) have sufficiently considered their exposure to the long reach of GDPR.

David Benyon

European editor