Record fines for data breaches – untangling the insurance implications
11 July 2019
News that the UK’s Information Commissioners Office (ICO) has imposed record fines on British Airways and Marriott hotel group totalling nearly £300 million, shows that the new General Data Protection Regulations (GDPR) has teeth.
The question for insurance managers is what, if any, insurance will respond to protect them following a data breach and record fines?
We asked our specialist cyber and financial lines loss adjusters to comment on the web of insurance cover designed to protect companies following data breaches – and to cover the costs of mitigation to fix the damage.
“Often, the first port of call is any cyber liability insurance cover held by the policyholder,” said Laetitia Fouquet, Deputy Head of Cyber at Charles Taylor Adjusting. “But other policies can also respond including directors’ and officers’ (D&O), errors and omissions (E&O), property, professional indemnity, civil liability and crime cover. It all depends on the circumstance of the data breach.”
Cyber liability cover will usually cover the cost of investigating a data breach, the cost of restoring networks and systems, legal and forensic investigation expenses. It will also cover costs incurred in mitigating the damage, such as communications with customers and crisis public relations cover. “There isn’t yet a unified, or standardised, policy wording for cyber cover, so different policies will cover different risks, with different limits. Following a major attack, the question could well be whether the policy provides sufficiently high limit of indemnity to put everything right,” said Laetitia Fouquet.
Cyber liabilities may also be covered by property policies, particularly if there is no wording specifically excluding cyber risks. “Recently, Lloyd’s has mandated syndicates to clarify whether first-party property damage policies affirm or exclude cyber cover, in a bid to stop “silent cyber” exposure on policies incepting on or after 1 January 2020.” she added
The implications of a data breach can be far wider than just the immediate data loss and mitigation. There may be claims from a wide range of other parties affected by the loss.
For example, there may be a D&O claim if a public company’s share price falls as a result of the breach. “If it appears that the company’s senior management failed to invest in adequate data security there could be grounds for a D&O claim from disgruntled shareholders,” said Andrew Jackson, Director of Property, Casualty, Technical & Special Risks at Charles Taylor Adjusting.
D&O claims could also result from a failure of due diligence during an acquisition. “If a business takes over another and it turns out that the target company had weak data security, there could potentially be grounds for a claim. In the context of an acquisition, there is also potential exposure of any warranty & indemnity insurance if representations made during the acquisition process regarding data security prove to have been incorrect.” added Andrew Jackson.
Companies may also face claims against their E&O/Civil Liability or crime policies if customers suffer losses from identity theft or fraud as a result of their sensitive financial information being stolen.
The British Airways and Marriot claims will reignite the debate about whether fines are insurable. “It all depends on the circumstances,” said Andrew Jackson. “Insurers may cover some fines if these are insurable at law – but in many cases these are excluded by policy wordings.”
Untangling the interweaving insurance coverage will usually be the task of the various insurers with exposure to any loss and considering any ‘other insurance’ provisions in their respective policies. “There are some jurisdictions where an insured with multiple policies providing cover for an event can direct their focus to one of those policies, leaving that insurer to seek contribution as appropriate from all others,” said Andrew Jackson.
The fines imposed on British Airways and Marriott show that the ICO is hardening its stance following the introduction of GDPR. “The authorities are not only imposing fines for inadequate consent, direct marketing message, or sharing of data with other organisations but are also willing to impose fines up to 4% turnover as directed in the GDPR when inadequate security was in place and high numbers of customers were affected,” said Laetitia Fouquet.
Companies outside Europe can also be seriously affected by data breaches which result in the loss of EU citizen’s personal data. It does not matter where the company is based – if it is holding data for EU citizens it will be caught by the GDPR regulations.
“There is no doubt that insurance managers at companies large and small will need to think carefully about their insurance cover – and how they would respond in the event of a major data breach,” Laetitia Fouquet concluded.