Rising Tide of Cyber Risks Could Swamp the Insurance Market

[Inga Goddijn <inga () riskbasedsecurity com>]

http://www.scl.org/site.aspx?i=ed44195

Hans Allnutt, David Bear, and Clare Hughes-Williams survey the increasing
exposure of insurers in a burgeoning area for insurers that has seen a
recent explosive twist that they may not have taken into account

Growing privacy and cyber liability in the UK will boost the cyber
insurance market, but liability insurers will need to examine their
exposures if they are to avoid a flood of unexpected claims.

*Changing landscape*

Personal data is becoming integral to modern-day life. But attitudes to
privacy are changing and regulatory and legal trends are likely to result
in more successful claims for damages following a data breach. For
liability insurers this has important consequences. As currently drafted,
insurance contracts – ranging from professional indemnity (PI) and
directors' and officers' (D&O) to commercial combined policies – are
exposed to privacy liability claims. Insurers need to give careful thought
to what this emerging class of liability means to them and what action they
must take to avoid unintended consequences.

Personal data is becoming more valuable and its usage more complex – big
data and new technology will see more and more personal data collected and
shared with increasing sophistication. As we increasingly move into the
digital age, data protection laws will no doubt evolve. Even now, the EU is
considering a new data protection regime, while many aspects of existing
data protection law are being tested in the courts.

One important area in which the law is being tested is around the damages a
data breach victim is able to claim. Until recently, the Data Protection
Act 1998 required a claimant to demonstrate a financial loss first before
they were able to seek damages for distress. This has proved a significant
hurdle preventing many claims for breach.

However, in recent years the courts have shown an increased willingness to
find ways to award damages for breaches of privacy. For example, there have
been a number of cases where courts have awarded nominal damages for
financial loss in order to award more substantial damages for distress. The
Court of Appeal's decision in *Vidal-Hall and others v Google Inc* [2015]
EWCA Civ 311 <http://www.bailii.org/ew/cases/EWCA/Civ/2015/311.html>,
however, simply cuts through this hurdle and the need for judicial
workarounds.

*Landmark case*

On 27 March 2015, in a landmark decision, the Court of Appeal granted three
claimants permission to pursue Google for compensation for distress caused
by breaches of the DPA. In doing so, the court confirmed a new tort of the
misuse of private information.

*Vidal-Hall v Google* concerns Google's allegedly secret collection of the
internet usage of Apple Safari users through the use of cookies that
circumvented Safari's privacy settings. The claimants claim Google's
actions damaged their personal dignity, autonomy and integrity and caused
them anxiety and distress. Crucially, they do not claim to have suffered
any financial damage.

This marks the emergence of a new class of privacy liability. *Vidal-Hall v
Google* recognises that individuals should be compensated, even where they
have not suffered a financial loss. As a result, organisations now face an
increased risk of claims for compensation following a breach of privacy or
the Act.

The desire of the courts to compensate individuals for breaches of privacy
is shared by the regulator. In *Vidal-Hall v Google*, the Information
Commissioner's Office intervened in the proceedings and stated that
compensation must be available to people for the moral damage caused by
companies' data protection breaches. UK data protection law is also set to
change under the proposed EU Data Protection Regulation, which is likely to
clarify the situation for damages. While still under negotiation, the
proposed EU Data Protection Regulation should be much clearer on the type
of compensation that can be sought, and we can expect the right to claim
damages for emotional distress alone will be included.

Many liability insurance policies will indemnify privacy claims under
general insurance clauses, cyber extensions or specific wordings relating
to data protection or privacy. Cyber insurance gets all the attention, but
a wide range of traditional insurance policies do provide some cover for
data protection and privacy liabilities. There is now a potentially
significant exposure under data protection and 'invasion of privacy'
clauses for insurers, clauses that have not yet been fully tested in the
face of such claims. All liability underwriters need to look at how their
policies would respond to such claims and whether wordings meet their
intentions. They should consider whether they need to amend wordings and
ask more questions around privacy, cyber security and the use of people's
private information.

*Professional indemnity*

*Vidal-Hall v Google* is potentially very significant for professional
services firms, many of whom hold large amounts of confidential and
privileged client data, as well as data belonging to third parties. For
example, a law firm handling a high-net-worth divorce case would hold
highly private information relating to their client's spouse, which could
potentially expose them to a third-party claim should there be a privacy
breach, notwithstanding the spouse not being a client of the firm.

Solicitors' PI insurers are potentially exposed to data breach or privacy
claims through the main insuring clause for losses arising from private
legal practice. There will be a debate as to whether this exposure is
covered by the main insuring clause and insurers may try to formulate an
argument that data breaches do not arise from the normal course of
business. However, this is unlikely to be a straightforward argument and it
therefore may not be possible to avoid privacy exposures. The question will
be whether to cover privacy exposures under a stand-alone cyber insurance
policy and exclude them from PI insurance, if this is indeed possible.

Minimum standards of indemnity cover are typically set by professional
bodies. So any attempt to exclude privacy-related exposures from PI
policies would have to be agreed by the relevant professional body. PI
underwriters should look to understand more about their data and privacy
exposures and what risk management procedures insureds have in place.
Proposal forms could be amended to ask questions around the IT systems,
business processes and training, which should make it easier to assess the
exposures and rate the risk.

*Directors' and officers' insurance*

Growing privacy liability also has implications for directors and officers
and their insurers. *Vidal-Hall v Google* could give rise to new grounds
for a company to sue its directors if they fail to take reasonable steps to
prevent a breach, or unlawful use, of personal data.

It is too early to say for certain that we will see a surge of claims, but
there is an increased risk. There are potential scenarios that could lead
to more claims being pursued against directors and officers, as well as
claims for costs associated with regulatory investigations. For example,
companies may more readily sue the former board in the event of an
insolvency or if the board has been replaced, as a result of public demand,
following a major data breach.

D&O insurance typically provides broad cover for losses sustained for
claims arising from a 'wrongful act'. So if a director neglects to prevent
a data breach, the loss is likely to be indemnified under Side A and B
cover. Loss suffered by the company itself could also potentially fall
under Side C entity cover, if it is not restricted to security class
actions.

Insurers should look at Side C cover to ensure that it is not so wide as to
respond to the company's losses relating to a data breach or misuse of
information unintentionally. These could potentially exhaust the policy
limit of indemnity leaving nothing for the directors and officers.

D&O policies do not typically expressly refer to privacy risks – the cover
offered is usually so broad that it is not strictly necessary.
Nevertheless, brokers and insureds are pushing for specific cyber
extensions to obtain clarification of coverage. While new, these extensions
will probably evolve over time and may feature breach of privacy and
information misuse in due course.

*Commercial combined*

Commercial combined insurers could also face unexpected claims associated
with a privacy breach or misuse of personal data through public liability
and, to a lesser extent, employers' liability coverages. The principal
exposure arises through the main public liability insuring clause – to
indemnify the insured for legal liability to pay compensation for damages
that may arise from personal injury, property damage or nuisance and
trespass.

The emerging privacy liability tort could provide a new line of cases
relating to personal injury. Underwriters typically think of personal
injury in terms of physical harm, like slips and trips, and few would
contemplate a person suffering injury through a breach of privacy or misuse
of information.

To claim compensation for personal injury, a claimant would typically have
to suffer a recognised medical condition. However, it is possible to
imagine scenarios where a data breach could trigger or contribute to a
psychological condition, such as reactive depression or anxiety neurosis
where the claimant would be regarded as the primary victim. For example,
the release of information relating to a person's sexuality, lifestyle,
medical conditions or personal views could give rise to significant
distress, triggering depression or severe stress.

Underwriters of both public liability and employers' liability need to give
thought to potential personal injury for moral damage and distress arising
from the misuse or release of personal data. There are already cases that
set the bar for personal injury for mental conditions, and stress or
reactive depression, supported by proper medical evidence, can get over the
line for the purposes of a personal injury compensation claim.

Extensions to public liability policies, some of which relate to data
protection law, may also give rise to exposure. Such extensions were not
written with moral damage and distress without financial damage in mind.
However, they could potentially give rise to claims where anxiety or
distress falls short of what is needed for personal injury. Underwriters
need to decide whether they are prepared to write and accept liability for
this new tort, and whether they want to amend policy wordings as a result.

It is possible to take steps to limit exposure to data protection claims in
public liability policies. However, employers' liability insurance is
compulsory and must meet minimum standards of cover.

*Trend toward notification*

Data breaches continue to hit the headlines. And while data protection laws
are evolving, the general direction of travel suggests that companies will
increasingly be required to notify regulators and individuals when there
has been a breach of data security.

Under current UK data protection law, most companies are not legally
required to notify the regulator or individuals following a data breach.
However, current regulatory guidance is that serious breaches should be
notified to the regulator and consideration given to notifying affected
data subjects. If companies do not, they could face higher sanctions.

Corporate social responsibility is also resulting in an increasing number
of companies voluntarily notifying data breaches. A long-touted revamp of
the EU data protection regime is currently being negotiated in Brussels,
and current drafts of the legislation suggest some form of compulsory
notification regime will be included.

First-party costs associated with a data breach and subsequent notification
can be expensive. Such costs are not typically picked up by third-party
liability policies, justifying the need for specialist cyber covers that
indemnify a range of breach-related costs, including legal, forensic,
notification and crisis management services.

*Stand-alone cyber*

Stand-alone cyber insurers will also face a growing exposure to privacy
liability. However, on balance they should benefit from increased awareness
and demand for their product. As discussed, the cover under traditional
liability policies could be said to be limited, unclear and untested. As
liability insurers assess their exposure, they may, where allowed, limit
their liability and introduce exclusions.

Standalone cyber insurance, in contrast, is specifically designed to cover
data and privacy claims and will offer clear cover for both liability and
first-party costs. In addition, cyber underwriters are best placed to
assess the risk and price their policies based on clients' data and cyber
security profile.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!