The European Union's General Data Protection Regulation (GDPR) went into effect on May 25, 2018, and despite the publicity and prognoses of doom, it did not have any immediate earth-shattering effects. At most, you may have noticed a flood of requests to re-subscribe to websites or to review a company's updated privacy policy. In fact, many non-EU-based businesses may not even notice that the GDPR is now effective because they have been dismissing it as a regulation that "does not apply to us." This is a serious misperception - a significant number of businesses in non-EU countries, including the United States, are subject to the regualtion and its potentially massive fines. There is an expectation the European data regulators will look very closely for violations and may not be shy about imposing significant fines on companies that fail to comply.
The GDPR is in many aspects quite similar to data breach notification laws in the United States, although in some aspects, the regulation is considerably broader. As cyber insurance has developed to respond to such expenses and liabilities related to data breaches in the United States, it will likely evolve to respond in a similar fashion to GDPR-related incidents.
By examining how the breach notification laws in the United States shaped the development of cyber insurance over the past two decades, we may be able to anticipate what the GDPR will mean for the cyber insurance market going forward, both in the EU and the United States.
Click on this link to view the article in pdf format