The Information Commissioner’s Office (ICO) made it clear upon introduction of the UK GDPR, referred to as the Data Protection Act 2018 (DPA 2018), that the regulation was not a tool to punish, but rather its goal was “guiding, advising and educating organisations…preferring the carrot to the stick.” (opens a new window) However, with significant maximum fines of 4% of annual turnover or GBP 17.5million, many businesses have sought to transfer this risk to insurance products.
There are several ways in which reimbursement for regulatory fines may be addressed in insurance policies, however the ICO has not declared a position on insurability (unlike the Financial Conduct Authority, which prohibits insurance responding to breaches of financial regulations). Accordingly, organisations are currently reliant on case specifics, insurance policy language and legal precedent to determine how likely it is that a potential fine could be covered by insurance.
Cyber policy considerations
Cover for regulatory fines
A robust cyber insurance policy can provide cover for regulatory loss following an actual or alleged breach event by the assured. Regulatory loss may include civil fines and penalties which have been levied against an organisation by a legally empowered entity, in its capacity to enforce privacy laws, where the fine is deemed insurable law.
In case of a breach event resulting in a privacy liability event, cover can be provided for associated investigation, remediation, and mitigation costs. It also can provide reimbursement for costs incurred in complying with notification requirements.
An added benefit of a cyber insurance policy is access to a 24/7 breach response team, which will be able to support policyholders on the ground when a breach event is discovered and immediately assist with mitigating the potential fallout.
Breach response measures are key given that the ICO can consider an organisation’s response time, among other things, as mitigatory action (opens a new window).
Cyber policies can also extend cover for expenses incurred to investigate, defend and appeal liability claims against the policyholder. This coverage would apply to any court proceedings following action by the ICO, in addition to defending the assured against any private action undertaken by an affected party for whom the assured is directly or vicariously liable as data controller or processor.
As investigations and legal action undertaken by the ICO may last for several years, legal expenses may be significantly greater than originally perceived. Experience shows that in such long-tail cases, legal fees can quickly reach excessive levels.
An optional cover for an adverse media report related to a breach event, reimbursement can be available for a loss of earnings due to the reputational harm such a media report may have caused.
Directors’ and officers’ liability considerations
Compliance with the increased responsibilities under the DPA 2018 ultimately flows up to the board both due to regulatory requirements, but also the reputational and potential commercial consequences that can arise from a data breach.
Personal liability (opens a new window) arises under the DPA 2018 where a breach occurs “with the consent, connivance of, or is attributable to the neglect on the part of a director”. Liability also attaches to individuals as a result of fiduciary duties under the Companies Act 2006: directors must promote the company’s success and exercise reasonable care, skill and diligence in their role. Failure to consider and reduce the risk of a data breach, for example, could result in a claim against individuals for a breach in their duties and ultimately damages or fines as a result.
In the five years since the implementation of the Act, the UK has yet to see a claim against an individual for personal liability. However, there have been relevant cases abroad:
In Finland, the former CEO of a psychotherapy firm was found guilty of a data protection crime because he did not fulfil GDPR requirements after sensitive information of tens of thousands of patients was stolen. It was found his actions were intentionally or grossly negligent due to inadequate protection of the personal data (opens a new window).
In the US, the former chief security officer at a large mobility app was found guilty of “criminal obstruction and concealment of a felony” following a data breach that resulted in tens of millions of customer and driver data being stolen (opens a new window).
The Federal Trade Commission (FTC) has taken action against an online retail company and its CEO, following the breach of millions of consumer records, alleging that the company’s security failures led to the data breach. The director of the FTC’s Bureau of Consumer Protection said (opens a new window) the action “ensures the CEO faces consequences for the company’s carelessness,” and “CEOs who take shortcuts on security should take note.”
These wider trends demonstrate that whilst the insurability of GDPR-related fines imposed by the ICO remain unclear, directors will be held to account, exposing them to personal liability. Comprehensive enterprise risk management programs should consider these risks and procure appropriate D&O cover to potentially transfer the risk to insurance.
In the event of an investigation into a company, legal representation of directors in the event they are called as witnesses can be covered. Should a director become the target of the investigation, there can be cover up to the full limit for the director’s defence.
Where insurable by law, D&O policies also can provide cover for civil fines or penalties, provided there has been no determination of intentional, grossly negligent, or deliberate breach of the law by the individual. As described above, insurability of UK GDPR fines remains unclear.
Stakeholders, including customers, shareholders, and employees, could also bring claims against directors as a result of a data breach. The D&O policy can provide cover for the defence of the individual and any award for damages, costs, or settlements.
Broad D&O policies include a sublimited extension for costs to obtain support from a crisis firm to protect an insured person’s reputation from negative statements made against them in the press.
An evolving picture
According to the Allianz Risk Barometer 2023 (opens a new window), cyber incidents rank as the most important risk globally, with data breach the most concerning exposure of those surveyed. Despite opaqueness still surrounding the issue of insurability of GDPR fines, an appropriate suite of insurance policies can be an effective risk transfer tool.
For more details on our products and services, please visit our Global Cyber and Technology page (opens a new window), our Management Liability page (opens a new window), or contact:
Lizzie Harris – Management Liability, Account Executive
T: +44 (0)20 7933 2442
Megan Long – Cyber Broker
This is part of a series of articles to be published on lockton.com about the GDPR’s legacy five years after its enactment. Read more about what the regulation has meant for US-based businesses (opens a new window), for UK businesses (opens a new window), and look for our next instalment.