On 1 September 2023, the new Swiss Data Protection Act (nFADP) entered into force, with the aim to guarantee the security of the personal and sensitive data of Swiss citizens. This legislation has raised questions about the implications for businesses and the associated risks when processing data on behalf of third parties. Our Loycomates, risk management experts, Grégoire Mottier and Lionel Ducommun, have examined this question from an insurance perspective and offer you a summary here.
Risk management according to the ISO 31000 standard
Within the reference framework established by the ISO 31000 standard, risk treatment directly follows the phases of identification – analysis – and evaluation of the various risks.
The 5 stages of risk treatment according to ISO 31000
Our survey of different insurance companies
According to ISO 31000, “Risk treatment offers various strategies, one of which is to transfer or share the residual risk to an insurer, for a premium”.. It is in this context that our two experts carried out a survey of different insurance companies in order to clarify several essential points and determine:
- if insurers will, in the short term, modify or restrict their “Civil liability for financial losses” coverage in the context of claims for damages based on the application of the nFADP (for example, in the event of a wrongful data leak);
- whether insurers will be able to cover (via Cyber coverage?) fines of up to CHF 250,000 applicable to a natural person responsible for data protection, for example, in the event of non-compliance with minimum requirements in terms of data security. It should be noted that only intentional or potentially intentional action would result in such a sanction. However, the damage to the company’s reputation remains unchanged.
Position of the insurers contacted and conclusions of the investigation
- Insurance conditions for Civil Liability should not undergo significant changes in the short term, whether in terms of scope of coverage or premiums. This stability can be explained by the fact that the insurance conditions already referred to data protection legislation before the entry into force of the nFADP. Insurers therefore clearly prefer to observe the real effects of this new legislation before making changes to their products.
- Generally, fines and penalties are not insurable.
Any insurance contract covering such compensation would be considered contrary to good morals and would therefore be void under Article 20 paragraph 2 of the Swiss Code of Obligations. However, it should be noted that the insurance conditions for Civil Liability in the event of personal injury following a violation of the legislation can vary considerably from one company to another.. In particular, the cause of the insurable event must be carefully examined on a case-by-case basis.
What to do in this context?
Faced with the entry into force of the nFADP, the key to effective risk management lies in anticipation. Organisations are encouraged to:
- ensure their compliance and expectations with the nFADP (which should already be in place), including in terms of their IT security;
- establich a list of scenarios likely to lead to a violation of the nFADP that could result in damages to third parties;
- take an inventory of existing insurance coverage (Civil Liability and/or Cyber) and examine them according to each scenario;
- if applicable, contact their insurer or broker to clarify and ensure all necessary responses.
The nFADP, while involving additional work for all organisations and creating some uncertainty, encourages organisations to strengthen their compliance and data security.
For more information on the Swiss nFADP, you can consult the official Swiss government page here or contact our specialists for advice or support.