As the Personal Data Protection Act of India (PDPA2020) gets ready to make an entry into the Indian legal landscape, the Insurance industry is looking upto the new opportunities that are being opened up by the law. Following the recent global trend, the penalties under PDPA 2020 are set at 2% or 4% of the global turnover of an organization depending on the type of offence. Even the Government departments could face penalties upto Rs 5 crores. Hence the industry would be desperately looking for covering the PDPA Risks.
The Cyber Insurance industry was extremely lethargic when it came to the introduction of Insurance covers for Cyber Crimes. India came up with laws on Cyber Crimes and creation of liabilities for organizations arising out of Cyber Crimes way back in 2000 with the ITA 2000. The amendments in 2008 increased the responsibilities of intermediaries in IT service. The RBI way back in 2001 suggested the banks to cover the hacking and denial of service risks with cyber insurance. However the Insurance industry could not come up with proper insurance covers until recently. Personal cyber insurance policies in particular came on on the scene only during the last few years and are yet to be popularized.
The Cyber Insurance policies basically cover the first party risks where the insured suffers loss of data, loss of production,loss of intellectual property, reputation loss. With Ransomware being on the prowl, payment of ransom are also covered by some of the policies. Additionally, third party risks involving claims of damages by personal data owners on account of a cyber attack is also covered in these policies. Some of the policies which cover employee misconduct or technical errors are also often called Cyber Insurance policies though they are different from Cyber Crime Insurance policies in concept and risk coverage. The policies issued to the corporates are largely based on the reputation of the organization. It is unclear to what extent the “Security Status” of an organization is factored in when the premium is fixed for such policies.
In 2015 when Naavi.org conducted a national survey to understand the Cyber Insurance preparedness in India, the results showed very little involvement of Cyber Security professionals in the determination of Cyber Insurance coverage in companies. It appears that the situation has changed for the better in the recent days since some Insurance companies are now claiming that they are looking at the security preparedness of an organisation such as whether the organization has a “ISMS policy”? whether an IS audit has been conducted? etc.
Even before the Cyber Insurance products reach a level of acceptable maturity, the PDPA 2020 will usher in a new era in Information Security that will need a fresh look at Insuring PDPA Risks.
One of the first challenges that PDPA brings in is that it takes the financial liability risks to a far higher level when the insured asset is “Personal Data” of individuals as against the “Business Data” or “IPR data”. Theoretically the risks can go upto 4% of the global turnover and any insurance for a lesser level would amount to “Under insurance”.
The second challenge is to identify the “Insurable Asset” for which an effective “Data Classification” policy and implementation mechanism should be present in the organization.
The third Challenge is to track the “Personal Data” in an organization through its “Life Cycle” when it’s insurable value may fluctuate. As “Raw Data” becomes “Persona Data” then migrates to the state of “Sensitive Personal Data”, its insurable value changes. Similarly the personal data life cycle which is “Reversible” may see a change of insurable value when sensitive personal data is de-sensitized or de-identified or pseudonymized or destroyed. When the life cycle of personal data is reversed, there would be costs to be incurred for each change of status but the market value of the data may actually decline. When reverse life cycle operations are implemented, the end result could be of lesser or zero value but the operation has a cost which the insured would like to identify as “Cost of Maintenance of Personal Data”. Will this be “relevant cost” for insuring? will the change in value of the data as it moves between different life cycle stages gets reflected in valuation of personal data either at the time of insuring or when a claim is to be assessed?
When the PDPA risks are to be computed for the purpose of underwriting, it must be remembered that liabilities of administrative fines may arise even when there is not data breach. Hence the Insurance industry may have to assess its risks based on what steps the insured has initiated for mitigation of risks. Such steps include the “Maintenance of Personal Data”, the policies of anonymization, de-identification/pseudonymization etc besides the usual policies such as access control, encryption, data breach incident identification and reporting system, grievance redressal system, the conduct of DPIA, appointment of DPO etc.
In settling claims, it would be necessary to consider all aspects which are normally considered in a Cyber Crime insurance policy such as the legal costs, investigation costs, etc., but also the valuation of personal data in the hands of the organization, the value additions that the organization might have created in the form of “Profiles” and the value of personal data in the hands of the data principals (or data subjects as they may be called elsewhere).
Hence while PDPA 2020 will usher in a golden era for Insurance Companies in India, it will need a structuring of a new policy structure and management requirements. Exciting days seem to be ahead of the insurance industry as we await the passage of PDPA 2020 in the budget session of the Parliament this year.