Data protection and Data Privacy are in the limelight again after India passed a new law - The “Digital Personal Data Protection” Act 2023. This blog will help cyber insurance professionals understand how the DPDP impacts their cyber insurance products.

Cyber Insurance in the time of Data Privacy

What cyber insurers should consider before underwriting cyber policies in light of the new Digital Personal Data Protection Bill

Data Protection and Data Privacy are in the limelight again after India passed a new law - The “Digital Personal Data Protection” Act 2023, which is lovingly known as DPDP 2023. Among other things, this has sparked off a discussion in the cyber insurance community on its implications on cyber insurance. This post is my personal take on the same.

A brief summary of the DPDP 2023 for cyber insurers

The DPDP applies to:

• anybody that processes digital personal data within India

• Anybody that processes digital personal data outside India if it is related to goods or services offered to people within India

There are a few entities of interest here:

Starting with the big block containing all the operational stakeholders, this includes:

• Data Principal - The individual to whom the data belongs

• Consent Manager - An interesting entity that does not yet exist. This is an entity that manages the consent for providing data from the data principal. The consent manager has to be registered with the Data Protection Board of India. All consent can be managed through a, say, content management application.

• Data Fiduciary - This is the equivalent of a data controller in GDPR. The Data Fiduciary collects data from the data principal and uses it as per the rules and regulations of the DPDP 23. Most regulations apply to the Data Fiduciary.

• Data Processor - An entity that processes data about the Data Principal, but does not directly interact with the Data Principal. A Data Processor is engaged by the Data Fiduciary to process the data of the Data Principal.

Then there is the big daddy - the Data Protection Board of India. This body is responsible for governing the entire data protection ecosystem. It has the relevant powers to evaluate breaches and also levy fines. If anyone has a grievance with the Data Protection Board of India, they can file a complaint with the Telecom Regulatory Authority of India (TRAI).

What coverages get affected?

Cyber coverage is not standard. A cyber policy is made up of multiple bespoke components from covering for ransom payment using bitcoins to paying a PCI-DSS (Payment Card Industry - Data Security Standard) fine. In essence, however, the coverages can be rationalised to the following 3 areas:

• Data Breach - Data breach is a rather broad term which means that data falls into the hands of unauthorised actors. It’s a rather vague definition – but it covers any loss, alteration or unauthorised access of data. Most cyber policies restrict the type of data they cover. Cyber policies typically cover two types of data for breaches:

  • Personal Data - Data about individuals. This could include financial, health, belief systems, etc. If personal data gets breached, then the cyber policy is expected to pay. This section gets directly impacted by the DPDP. The regulatory fines can be thought of as getting covered by the policy.

  • Corporate Data - Trade secrets, etc. - This includes all data that an organisation considers as critical for its functioning and well being. 

• Cyber Business Interruption - Since traditional Business Interruption (BI) policies have an exclusion for cyber related interruptions, a cyber-BI is one the key reasons that organisations go for a cyber policy. The DPDP does not affect the cyber BI directly. However, there are a few points that might have an indirect impact on BI. For example, a Data Fiduciary is mandated to provide evidence that consent was sought and given (in case of consent driven data access). In case, due to a data loss, the consent data is not available, there could be fines levied on the Data Fiduciary. A cyber policy could possibly be liable to pay.

• Regulatory Fines & Contractual Penalties - This coverage is simple and directly impacts the cyber policy. If regulatory fines are levied the PML would probably be the policy limit! The highest fine as per the DPDP is INR 250 crores.

Covering parties in the data protection ecosystem

What if a cyber insurer would like to underwrite a party that is a part of the data protection ecosystem? There could be certain considerations that the underwriter should consider in addition to a regular proposal form.

Covering the Data Principal

The Data Principal is the owner of the data. As per the DPDP, the Data Principal does not have too many obligations. A cyber policy that covers the Data Principal would most likely be a retail cyber or individual cyber policy. Even for an individual cyber policy, there would not be any implication from the DPDP.

Covering the Data Fiduciary

The Data Fiduciary is the entity with the largest underwriting impact for an insurer. Some of the things that a cyber insurer should check for before placing the policy would be:

• Is the organisation a ‘significant’ Data Fiduciary? (The definition of a significant Data Fiduciary is not yet provided)

• Does the organisation issue the ‘Notice’ for collecting digital personal data?

• Does the organisation manage consent?

• Does it have a process for managing personal data of children?

Covering a Data Fiduciary or a Significant Data Fiduciary adds the most risk to the insurer. Hence asking specific questions related to the same should help underwrite better. Our team at Risk Quotient is working on adding these questions to 4SURE to ensure that cyber insurers can underwrite Data Fiduciaries better.

Covering the Data Processor

The Data Processor does not directly deal with the Data Principal and hence does not have a direct liability. However, the Data Fiduciary would have a strong contract with the Data Processor that will have a contractual impact and penalty. This has to be considered by the cyber insurer when underwriting cyber risks.

Covering the Consent Manager

A Consent Manager is the newest entity in the block. Things are not very clear as to how this would work and what the obligations and responsibilities of a Consent Manager would be. For example, what would happen if the consent manager fails to follow through on an instruction by the Data Principal to withdraw consent? Or, what would happen if the Consent Manager is not able to provide evidence of consent?

Any organisation that would like to play the role of a consent manager (account aggregators are the prime candidates to do this) would have to be evaluated individually till the risks are clear.

Conclusion

While the DPDP is not the GDPR, it does impose significant liability on the ecosystem. How it plays out will depend on how the rules are defined and how case laws get defined. However, for a cyber insurer, they should definitely consider the above points when deciding on covering an organisation in the DPDP ecosystem.