Reliance on compliance is not, on its own, a viable option for protecting companies against data loss risks. Insurance can be essential to mitigate potential losses arising from an unexpected incident.
The market has developed rapidly and many insurers now offer dedicated policies. Policies vary enormously, and are often complex and untested. Ahead of the GDPR coming into force on 25 May 2018, it is important to understand the potential liabilities organisations face, and how cyber insurance can protect them.
The potential exposures under GDPR
Currently, the Information Commissioner can impose fines of up £500,000 on organisations which breach data protection obligations. Under GDPR, this ceiling increases significantly. The highest fines, reserved for the most serious breaches can be the greater of €20m or 4 per cent of an organisations global turnover. Such fines pose existential risks.
Additionally, organisations face potential civil claims by those persons adversely affected by the data breach. In a recent case, Morrisons Supermarkets was held liable to pay damages to 5,550 claimants for breach by one of its employees of the Data Protection Act 1998. Interestingly, while the court found Morrisons was not itself in breach of its data protection obligations, it was vicariously liable for the actions of its employee.
Damages in such cases will be determined on a case-by-case basis and may include 'distress' compensation, even if victims did not suffer financial loss. As in the Morrisons case, where large numbers are affected, overall damages could be very substantial. This risk is only likely to increase under GDPR.
Further, companies and (where guilt is attributable to individuals) directors could be exposed to criminal liabilities under GDPR.
Insurance for data losses
Organisations should consider the extent of coverage provided for data breaches under existing policies, including (for example) professional indemnity liability and property/business interruption. These are now always designed to cover data-related risks, so it is essential to assess the coverage provided. There are likely to be coverage gaps which need to be filled, whether by enhancements or through a dedicated cyber policy.
Most dedicated cyber policies will cover the legal costs and liabilities arising from any civil actions resulting from a data breach. Some cover regulatory fines although, as a matter of public policy, fines resulting from the insured’s own deliberate fraudulent/criminal conduct are uninsurable. There remains some uncertainty regarding non-criminal regulatory fines, but there is nothing in the legislation at present which suggests that fines under GDPR will be uninsurable.
Cyber policies ought to provide coverage for other costs as well, including the costs of notifying victims and relevant authorities, and setting up call centres. Coverage may extend to other crisis management costs like forensic expert fees and PR expenses and the costs of restoring the company’s data and computer systems.
Cyber insurance policy wordings vary so a careful assessment is essential. Some impose onerous conditions which, if not complied with, may undermine the benefits of the insurance cover. Others may have wide exclusions, and policyholders need to ensure their coverage matches particular exposures to which their business is vulnerable.
There are no reported cases relating to cyber insurance in the UK, but some cases from the United States are informative. In one case, the court found insurers not liable, following the failure by an insured to comply with minimum security requirements recommended at inception. In another case, involving a policy which excluded losses caused by third parties, the insurer was held not liable to pay losses caused when hackers accessed millions of the insured's data records.
These cases illustrate some of the potential difficulties companies need to consider when buying cyber insurance. It is becoming an essential part of any corporate insurance programme, and policyholders need to pay careful attention to the policy terms and conditions to ensure that the insurance they buy is fit for purpose.
Make sure you and your organisation are well informed when it comes to data protection and security. Keep up to date with our cyber security blog series and make sure you don’t get caught out!
Sarah Turpin (Partner) and Alexander Bradley-Sitch (Associate), lawyers in the Insurance Coverage team at K&L Gates LLP in London