The Unexpected Indemnity: cautionary tales from cyber’s front-line
Over the past few months, many of you will have been asked to carry out some ‘horizon scanning’ to identify the trends that we are likely to see in the coming year.
For commercial insurance, these forecasts have focussed heavily on issues like climate change, the #MeToo movement and the potential impact of Brexit on company organisation and structures.
To date, the issue of data-subject claims has been largely confined to the cyber-sphere. These are claims pursued by data-subjects who have suffered material or non-material losses as a result of a personal data breach; a right enshrined in the GDPR. However, we are increasingly seeing Insureds looking to their commercial insurance products to provide cover.
In recent months, we have seen several instances of data-subject claims falling for cover under data protection/cyber extensions in Employer’s Liability and Public Liability policies. This is a trend that is likely to increase as the prevalence of data-subject claims generally continues to rise.
Why is this an issue?
Towards the end of 2019, the Court of Appeal delivered its decision in Lloyd v Google, which potentially paved the way for US-style group litigation in data breach claims. The decision also indicated that the “loss of control” of an individual’s data may be sufficient to give rise to a right to damages. This is important, because to claim for non-material damage, claimants previously had to evidence some sort of distress. This new decision means that they may have a cause of action even in the absence of any material loss or distress.
In the wake of this decision, we have also seen evidence that claimant’s solicitors are actively targeting victims of data breaches, with a view to signing those affected up to large-scale group litigation.
Whilst the value of an individual data subject claim can be very modest, there is considerable potential for upscaling, which can cause quantum to increase quickly. In fact, the Court of Appeal’s decision in Lloyd v Google has opened the door to US style mass litigation, so there is now a very real possibility of group actions following data breaches.
The damages of this are best described by an example. The value of an individual data-subject claim can range from a few hundred pounds up to tens of thousands, depending on the circumstances. Even taking a relatively modest claim (say, £3,000 for damages and £3,000 for costs), it only takes 167 individuals to bring a claim to reach the £1 million total liability mark.
Commercial policies traditionally have much higher limits of indemnity than their stand-alone cyber counterparts and, following the developments outlined above, there is a very real possibility that group litigation in data breach claims could produce limit losses.
For commercial insurers, there are a couple of key take-home messages.
Firstly, it is critical to have visibility on the potential exposure to data-subject claims. In the context of commercial insurance policies, the Insured is unlikely to be subjected to the same level of scrutiny about their data protection practices that they would for the purposes of a stand-alone cyber policy. However, SMEs can handle deceptively large amounts of personal data, which may not be immediately apparent based on their day to day activities.
Even if a company does not routinely handle large amount of customer data, its own employees could be a potential source of data-subject claims. For example, we recently dealt with an incident in which a hacker specifically targeted a company’s HR records.
Secondly, if specific data protection or cyber extensions are to be included in a commercial policy, it would be prudent to consider whether a sub-limit should be included. Following Lloyd v Google, there is a possibility that group actions could be pursued, which can quickly cause insurer’s potential exposure to multiply.
As the volume of data-subject claims continues to increase, it will bring into closer focus the potential magnitude of the exposures faced by insurers under commercial policies.
This article was first published by Insurance Day on 4 March 2020.