{"id":7947,"date":"2023-09-26T00:00:00","date_gmt":"2023-09-25T22:00:00","guid":{"rendered":"https:\/\/www.loyco.ch\/actualites\/new-data-protection-act-what-is-the-response-from-insurers\/"},"modified":"2024-07-30T15:10:51","modified_gmt":"2024-07-30T13:10:51","slug":"new-data-protection-act-what-is-the-response-from-insurers","status":"publish","type":"post","link":"https:\/\/www.loyco.ch\/en\/actualites\/new-data-protection-act-what-is-the-response-from-insurers\/","title":{"rendered":"New data protection law: how are insurers responding?"},"content":{"rendered":"<p><strong>September 1, 2023 marked the entry into force of the new Swiss Data Protection Act<a href=\"https:\/\/www.kmu.admin.ch\/kmu\/fr\/home\/faits-et-tendances\/digitalisation\/protection-des-donnees\/nouvelle-loi-sur-la-protection-des-donnees-nlpd.html\" target=\"_blank\" rel=\"noopener\">(nLPD<\/a>), which aims to guarantee the security of Swiss citizens&#8217; personal and sensitive data.<br \/>\nThis legislation has raised questions about the implications for companies and the associated risks when processing data on behalf of third parties.   <\/strong><strong>Our Loycomates, risk management experts <a href=\"https:\/\/www.linkedin.com\/in\/gr%C3%A9goire-mottier-791855a\/\" target=\"_blank\" rel=\"noopener\">Gr\u00e9goire Mottier<\/a> and <a href=\"https:\/\/www.linkedin.com\/in\/lionelducommun\/\" target=\"_blank\" rel=\"noopener\">Lionel Ducommun<\/a>, have examined this question from an insurance perspective and offer you a summary here.<\/strong><\/p>\n<h2><\/h2>\n<h2><strong>Risk management according to ISO 31000<\/strong><\/h2>\n<p>  In the reference framework established by <a href=\"https:\/\/www.iso.org\/fr\/iso-31000-risk-management.html\" target=\"_blank\" rel=\"noopener\">ISO 31000<\/a>, risk management directly follows the phases of<strong>identification<\/strong> &#8211;<strong>analysis<\/strong> &#8211; and<strong>evaluation<\/strong> of the various risks.  <strong>The 5 stages of risk management under ISO 31000<\/strong><\/p>\n<p><a href=\"http:\/\/www.iso.org\/obp\/ui\/#iso:std:iso:31000:ed-2:v1:fr\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-36203 size-full\" src=\"https:\/\/www.loyco.ch\/wp-content\/uploads\/2024\/04\/gesstion-des-risques_5-etapes-selon-iso-31000.png\" alt=\"\" width=\"418\" height=\"270\"><\/a><\/p>\n<p>&nbsp;<\/p>\n<h2><strong>Our survey of insurance companies<\/strong><\/h2>\n<p style=\"text-align: left;\">According to ISO 31000,<em>&#8220;Risk management offers various strategies, one of which is to transfer or share the residual risk to an insurer, in return for a premium&#8221;<\/em>.<br \/>\nAgainst this backdrop, our two experts conducted a survey of various insurance companies to clarify a number of key points: <\/p>\n<ul>\n<li>Whether insurers will, in the short term, modify or restrict their &#8220;Liability for financial loss&#8221; cover in the context of claims for damages based on the application of the nLPD (for example, in the event of a culpable data leak).<\/li>\n<li>Whether insurers will be able to cover (via Cyber cover?) fines of up to CHF 250,000 applicable to a natural person responsible for data protection, for example in the event of failure to comply with minimum data security requirements.<br \/>\nIt should be noted that only an intentional or potentially intentional action would result in such a penalty.<br \/>\nHowever, damage to the company&#8217;s reputation remains unaffected.  <\/li>\n<\/ul>\n<h3><strong>Position of insurers contacted and survey findings<\/strong><\/h3>\n<ul>\n<li><strong>Insurance conditions for third-party liability are not expected to undergo any significant changes in the short term<\/strong>, either in terms of scope of coverage or premiums.<br \/>\nThis stability is explained by the fact that insurance conditions already referred to data protection legislation before the nLPD came into force.<br \/>\nInsurers clearly prefer to observe the real effects of this new legislation before making changes to their products.  <\/li>\n<li>As a general rule, <strong>fines and penalties are not insurable<\/strong>.<\/li>\n<\/ul>\n<p>  Any insurance Contrat covering such indemnities would be considered contrary to good morals and would therefore be null and void under article 20 paragraph 2 of the Code of Obligations.<br \/>\nIt should be noted, however, that <strong>the terms and conditions of third-party liability insurance for breaches of the law can vary considerably from one company to another<\/strong>.<br \/>\nIn particular, the cause of the insurable event must be carefully examined on a case-by-case basis.    &nbsp;<\/p>\n<h2><strong>What to do in this context?<\/strong><\/h2>\n<p>  With the nLPD coming into force, the key to effective risk management lies in anticipation.<br \/>\nOrganizations are encouraged to:   <\/p>\n<ul>\n<li><strong>Ensure compliance with<\/strong> nLPD expectations (which should already be in place), including IT security.<\/li>\n<li>Draw up a <strong>list of scenarios that could lead to a breach of the nLPD<\/strong> that could result in damages to third parties.<\/li>\n<li>Make an <strong>inventory of existing insurance cover<\/strong> (Civil Liability and\/or Cyber) and review it according to each scenario.<\/li>\n<li>If necessary, contact your insurer or broker to<strong> clarify and guarantee all the answers you need<\/strong>.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2><strong>In conclusion<\/strong><\/h2>\n<p>  The nLPD, while involving additional work for all organizations and creating some uncertainty, encourages organizations to strengthen their compliance and data security.<br \/>\nFor more information on the Swiss nLPD, you can consult the <a href=\"https:\/\/www.kmu.admin.ch\/kmu\/fr\/home\/faits-et-tendances\/digitalisation\/protection-des-donnees\/nouvelle-loi-sur-la-protection-des-donnees-nlpd.html\" target=\"_blank\" rel=\"noopener\">official Swiss government page here<\/a>, or contact our specialists for advice and support. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>September 1, 2023 marked the entry into force of the new Swiss Data Protection Act(nLPD), which aims to guarantee the security of Swiss citizens&#8217; personal and sensitive data. This legislation has raised questions about the implications for companies and the associated risks when processing data on behalf of third parties. Our Loycomates, risk management experts [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":9844,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[44,52],"tags":[],"class_list":["post-7947","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-insurances","category-risk-management"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.loyco.ch\/en\/wp-json\/wp\/v2\/posts\/7947","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.loyco.ch\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.loyco.ch\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.loyco.ch\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.loyco.ch\/en\/wp-json\/wp\/v2\/comments?post=7947"}],"version-history":[{"count":0,"href":"https:\/\/www.loyco.ch\/en\/wp-json\/wp\/v2\/posts\/7947\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.loyco.ch\/en\/wp-json\/wp\/v2\/media\/9844"}],"wp:attachment":[{"href":"https:\/\/www.loyco.ch\/en\/wp-json\/wp\/v2\/media?parent=7947"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.loyco.ch\/en\/wp-json\/wp\/v2\/categories?post=7947"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.loyco.ch\/en\/wp-json\/wp\/v2\/tags?post=7947"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}