For Kenyan insurers long frustrated by extremely low uptake of cyber-crime policies by skeptic corporates, there is fresh hope for booming business as firms race to comply with a new law that has shaken up personal data security rules in the country.
President Uhuru Kenyatta in November 2019 signed the Data Protection Act that took effect last year–spooking corporates that collect large volumes of customer data to clean up and safeguard their systems to avoid punitive consequences.
The law sets out restrictions on how personally identifiable data obtained by firms and government entities can be handled, stored, and shared. Firms breaching the law face a penalty of up to Sh5 million or one per cent of its preceding year annual turnover–whichever is lower.
The net effect of this for the insurance sector in Kenya is that its efforts to establish cyber and data cover as a lucrative business line may be about to bear fruit.
"If you are a data handler or a processor and someone else gets access to the data and the customer sues you, the only protection you can take is a professional indemnity cover," Mr Tom Gichui, chief executive of the Association of Kenya Insurers (AKI) told Smart Business.
Data controllers
The Data Protection Act requires data controllers and processors both in Kenya and abroad to ensure that all personal information is processed lawfully, fairly, and in a transparent manner. They are also required to inform clients on the use of personal data and correct or delete any false representations about them.
The law also guarantees special safeguards for sensitive data such as one’s marital status, sexual orientation, health status and ethnicity. Further, the Act restricts transfer of personal data to parties outside Kenya. Data controllers and processors are required to obtain permission from the Data Commissioner before transferring such outside the country and provide proof of sufficient safeguards against misuse of the information.
Mr Ezekiel Macharia, managing director of insurance brokerage firm, Kenbright Holdings projects a surge in uptake of cyber security cover by firms keen on avoiding liabilities under the new law. "Cyber insurance has been there for while mostly as a protection against hacking and protecting data but now increasingly it will cover the legal implications should the company be penalised. Legal liability is growing for example if a hospital treated a prominent person and its system gets hacked leaking his or her data on cancer or HIV, […]
