News of data breaches seem a regular occurrence these days and over the summer we started to see the first fines for the breach of the General Data Protection Regulation (GDPR) by the UK supervisory authority, the Information Commissioner’s Office (ICO). Prior to that, the only fine of real significance under the GDPR was by the French data supervisory authority against Google France for approximately EUR50 million
The Data Protection Act 2018 (DPA) is the UK's implementation of the European Union’s General Data Protection Regulation (GDPR). In contrast the US has no single data privacy law but the passing of the recent California Consumer Privacy Act will impose its own GDPR-like regulations on companies’ collection and use of individuals’ data when it becomes effective in January 2020. Since going into effect in May 2018, the GDPR has encouraged regulators to fine companies for violations.
The maximum fines under the GDPR of up to EUR 20 million or 4% or an organisation’s annual global turnover made headlines when they were announced, but it was very much assumed that these would be for the most serious of breaches. Supervisory authorities have the discretion to take into account a range of factors such when determining sanctions of the level of any fine including the nature of the breach, whether it was intentional or negligent, action taken to mitigate the damage, previous conduct, the type of data lost and co-operation. There are also other actions available in the event of breach such as reprimands, bans, rectification or restrictions on processing.
July 2019 saw the ICO issue two notices of intent to impose fines firstly £183 million on British Airways, and secondly £99 million on the Marriott hotel chain. There had been much speculation about the likely fine British Airways would face for the data breach which affected around 500,000 customers in September 2018 just a few months after the GDPR came into force. Following the ICO’s announcement many were surprised. The Marriot hotel group were facing their huge fine for a breach which affected 339 million of customers globally and 31 million in Europe.
So what is it about the British Airways and Marriott breaches which mean the authorities are proposing such substantial fines? It is said that both organisations have been cooperative with investigations and have since made improvements to their security systems. It is not clear either which factors have been taken into account in determining the level of fine. Both companies are now challenging the decision and appealing the initial findings and so it will be interesting to see the outcome of those appeals and more information about the decision-making process. They have 28 days to appeal following which a final penalty notice will be issued by the ICO.
Equifax in the United States has also recently received a fine of around USD275 million and has been required to establish a fund of up to USD425 million to cover compensation for customers whose data was exposed in a breach in 2017. It is understood that in that case the breach went undetected for several weeks and this likely had an impact on the level of fine which was applied. In addition, the settlement requires Equifax to take steps to improve its security and protect consumers..
It is anticipated by many that we will continue to see large fines in the future as the relevant authorities demonstrate the importance of compliance with data protection in a world where data is such a valuable commodity and the privacy of individuals is constantly under threat from developments in technology and the way data is used. This could have serious implications for the survival of many organisations in circumstances.
It is fundamental that companies adopt a culture in the first instance which has the privacy of customers at its very centre, but it is impossible to completely avoid a data breach and the question of whether organisations will or can be covered by insurance is far from clear.
Impact on the insurance industry
From the industry’s perspective, insurance for fines has always been a grey area and whether there is coverage will depend on the policy language (if there is insurance at all). Some policies will exclude fines and penalties whereas others will offer cover to the extent permitted by law on the basis that, as a matter of public policy, it is not possible to recover for a loss which has been caused by ones own intentionally criminal or tortious act. In addition, fines under data protection legislation are there to prevent breach and if the fines are recoverable under an insurance policy the sanction would not have the same dissuasive effect.
We are also likely to see an increase in claims by individuals in Europe (either alone or as part of a class) to recover for losses suffered as a result of a data breach. The GDPR provides a legislative basis for both financial and non-financial claims. Take for example the Morrisons Supermarket litigation which is a class action by numerous employees of the supermarket chain who had their data compromised as a result of the actions of a disgruntled employee. Morrisons have been given permission to appeal to the Supreme Court, but the Court of Appeal made it clear in finding for the Claimants that Morrisons protection for this type of liability should be obtained through insurance. If Morrisons are unsuccessful at the Supreme Court, this could set a precedent for further similar claims.
Since the introduction of the GDPR (and equivalent regulations outside of Europe), there has also been an increase in publicity around data protection and the rights of individuals in this regard. Headlines such as the British Airways and Marriott data breaches also increase public awareness. This combined with recent enforcement activity is likely to have an effect in the demand for cyber products, but it is also likely to have an impact on activity in the courts and a knock on effect for the insurance industry. This will also no doubt also give rise to coverage questions particularly where there are tricky issues such as fines, the question of vicarious liability as seen in the Morissons case and the much debated issue of silent-cyber cover.
|Find out more:|