With news of massive data breaches making headlines in recent years, the handling of personal data has become a focus for legislators and regulators around the world.  Compliance with data privacy regulations such as the European Union’s General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA) promises to be one of the major challenges for businesses going forward as violations of these regulations present the risk of substantial fines or penalties.

In order to manage that potential liability, businesses have looked to cyber insurance. However, even when cyber insurance policies expressly state that they cover fines and penalties, whether or not they actually do so depends on whether fines and penalties are ‘insurable’ under the law that governs that coverage. Some jurisdictions prohibit insurance for fines and penalties as against public policy, and if the law of such a jurisdiction is deemed to govern, then even a policy that expressly promises to provide coverage may not protect the insured.

The determination of what jurisdiction’s law governs coverage under an insurance policy is typically made by applying the policy’s choice-of-law clause if it has one, or if not, by applying the forum court’s choice-of-law analysis. The choice-of-law analysis itself varies across jurisdictions, with some jurisdictions focusing on where the contract was formed and others examining other factors such as which state has the most significant contacts with the contract, which state has the greatest interest in having its law applied, or the location of the insured risk. This creates a level of uncertainty for policyholders because it means that even the same policy might cover fines and penalties in some circumstances and not in others.

Cyber policies have taken different approaches to addressing this insurability issue in their policy language, and some are more favorable to policyholders than others. For example, some insurers have issued policies that state that covered Privacy Regulation Fines include “civil fines, sanctions, or penalties insurable under applicable law.” (emphasis added). In contrast to this language, other insurers have incorporated more flexible choice-of-law wording. For example, insurers have issued policies that state that “The insurability of Penalties will be in accordance with the law in the applicable venue that most favors coverage for such Penalties.” (bold emphasis in original, underline emphasis added). While either provision could lead to coverage depending on the circumstances of the particular claim, the latter policy language could increase the odds that a policyholder is able to rely on the law of an especially favorable jurisdiction to obtain coverage.

As insurance options continue to evolve to address an increasingly complex framework for data privacy, businesses looking to manage their risk through cyber insurance should carefully scrutinize any choice-of-law provisions and consult with insurance counsel.