The European Union (“EU”) has led the way in the area of data privacy with the landmark General Data Protection Regulation (“GDPR”), which took effect in 2018. Recently, the EU broke ground again, reaching an agreement to adopt the Digital Services Act (“DSA”), which will impose new responsibilities on technology companies. 

As with GDPR, the DSA is expected to have far reaching implications, not only because it will apply to non-European companies handling consumer data of EU member states, but also because it may serve as a prototype for future legislation in the U.S.

Under the DSA, which takes effect in 2024, companies can no longer target ads to individuals based on their religion, ethnicity, sexual orientation, or political affiliation, nor can they target ads to minors. The DSA also mandates greater transparency from tech companies around how they recommend content to users. Social media platforms must offer alternative feeds not based on user profiling, and will be required to furnish data around algorithms to academia and non-governmental organizations researching online risks. Violators may be fined up to 6% of their global revenue and repeat offenders could be banned from operating in the EU altogether.


The Takeaway

The DSA will impact the ways in which companies that do business with EU customers can advertise and connect with users there. Similar legislation may be introduced here, if not at the Federal level then certainly in states at the forefront of data privacy initiatives, like California. Such companies would also be wise to check their cyber insurance policies to make sure they have coverage for the violation of a data privacy law, regardless of whether a company has suffered an actual breach.  



City of Unalaska v. Nat’l Union Fire Ins. Co., No. 3:21-cv-00096-SLG (D. Alaska, Mar. 18, 2022)

A Federal court recently ruled that coverage applied to a claim for computer fraud where the insured was able to establish a direct loss by proximate causation. In the underlying claim, an employee of the insured received a fraudulent request to change a vendor’s payment instructions. 

Assuming the request was genuine, the employee proceeded to update the bank account information and execute payments on several invoices, resulting in the funds going to the fraudster’s account. 

Upon discovery of the fraud several month later, the insured reported the incident to its commercial crime insurer. The insurer agreed to cover the claim under a separate “Impersonation Fraud” endorsement, which carried a sublimit; however, it declined coverage for the balance of the loss under the policy’s “Computer Fraud” insuring agreement on grounds that the use of email to perpetrate the fraud was “incidental” to the chain of steps that led to the loss. 

In the ensuing coverage litigation, the court disagreed with the insurer’s rationale for declining coverage. While the insurer contended the policy’s computer fraud coverage required the insured to show that the fraudster’s actions led to a “direct” loss without any intervening steps, the court found the email instructions received by the insured “fraudulently cause[d] a transfer of funds,” and the insured had a reasonable expectation that coverage would apply to the loss.