Last October, the British supermarket chain Morrisons lost an appeal against a High Court ruling that found it was partly liable for a data breach. Andrew Skelton, an internal auditor, was given eight years in prison for fraud, after he maliciously leaked the personal data of around 100,000 other employees via the Tor network. In a class-action suit, 5,000 of those employees have sued Morrisons for compensation.
In response to Morrisons’ argument that the compensation costs could be ruinous, the Court of Appeal suggested that organizations should buy insurance.
“There have been many instances reported in the media in recent years of data breaches on a massive scale caused by either corporate system failures or negligence by individuals acting in the course of their employment. These might, depending on the facts, lead to a large number of claims against the relevant company for potentially ruinous amounts. The solution is to insure against such catastrophe. The fact of a defendant being insured is not a reason for imposing liability, but the availability of insurance is a valid answer to the Doomsday or Armageddon arguments put forward by Morrisons' lawyers,” said the court.
But how easy is it to do that? There are a few problems. The first is whether companies can insure against a court-awarded fine. The second is whether insurance companies can accurately price the risk. The third is whether, once you’ve secured insurance, it will actually pay out.
Taking the first aspect, Renzo Marchini, privacy lawyer at Fieldfisher, explained in a recent blog that “there is the possibility that an old English law contract rule (that it is not possible to recover damages "tainted by illegality") might prevent parties passing liability for regulatory fines between themselves under contract. An issue that is also relevant to whether an insurance policy can pay out for fines. Specifically, courts have long held that as a matter of public policy a party that is fined by a criminal court cannot recover under a contract or indemnity in respect of that fine from another party. The doctrine goes beyond criminal fines to fines imposed by regulators; for example, fines imposed by competition authorities for a breach of competition law.”
Indeed across Europe there are only two countries, Finland and Sweden, explicitly permit insurance against GDPR fines.
Mark Bannon, Zurich’s EMEA of Cyber Liability, explains further: “Clearly if legislation is passed that imposes a fine, there's a public interest associated with it. Imagine if the insurance market was providing full insurance for any violation of legislation, it would undermine the whole purpose of public policy decision making. It begs the question, if you’re insured, why would you bother complying with the regulations? Therefore you do generally find that each EU member state and its jurisdictional laws usually prohibit the ability to insure a regulation fine.”
However in practice, it’s a little different. “The GDPR is a very new law, and across Europe there's a lot of grey areas,” continued Bannon. “As a new piece of legislation, we have not seen any tested law on the insurability of GDPR fines. So until the legal framework is developed around this, we at Zurich are leaning to the side of the customer. What we mean by that is, until we are told to do differently or until the law is developed to such an extent and where it actually says we should not be insuring these fines, Zurich has adopted a more progressive outlook and we are saying we will actually provide an insurance protection for GDPR fines where it is allowed.”
But Bannon pointed out that insurers are having a tough time quantifying risk, despite all the data available. “The challenge that I see with the General Data Protection Regulation is that each EU member state’s data protection commissioner is responsible for capturing data breach information or potential violations of GDPR regulation, and as a result, you end up with difficulties in deciding what data needs to be captured at each EU jurisdiction. Every country seems to be recording the data in different ways,” he said.
But Bannon added that there's no point in recording that information if the EU doesn’t do something with it. “By that I mean by doing something with that information that will benefit EU citizens and the economic bloc.”
Under the GDPR, if a company becomes aware that data may be, or is actually compromised, it is required to notify the data protection commissioner of the appropriate jurisdiction within 72 hours.
Bannon believes this nets valuable information about, for example, what industry sectors or types of company have experienced a data breach, the nature of that breach, ancillary exposures, whether there is a risk to employees, or the sustainability of the business.
“Furthermore we need to understand is it just a data breach or is it a cyber extortion and ransom demand event,” he continued. “And if it is a cyber extortion ransom demand event, who is actually instigating that. Is it possible to determine what role government agencies and security services at a national level or jurisdictional level have to play? How do we understand what is going on in that cyber attack? The reason I'm saying this is because unless we are capturing vital statistics like this, we cannot identify if there's a trend.”
“Is there a modeling capability that could identify, for example, whether certain industries are seen as a softer target than others. A good example perhaps could be, say, the retail sector, where you've got quite a lot of significant credit card transactions taking place every hour of the day. And therefore they are seen as a more attractive target by hackers. Or is there something a little bit more sinister in terms of state sponsored attacks or state sponsored corporate espionage of critical sectors like the pharmaceutical industry or financial institutions?” asked Bannon
In order for insurance organizations to calculate risk, insurers need to understand correctly what is going on in the cyber threat landscape.
“This information is being captured at a jurisdictional level by data protection officers, but if we can't understand what's going on, and we can't see the trends using aggregated data, then we can't model it correctly. And if we can't model it correctly, we can't therefore price the risks more accurately,” explained Bannon.
“Not only could the insurance market correctly price these risks, but more importantly it could present a great opportunity for the insurance market to get far greater understanding of these risks to the point where we can actually start getting more comfort and assist small businesses or major corporations right across the European Union.”
But, according to Bannon, right now the picture of the cyber risk landscape is incomplete. What about the demand side? What sort of insurance are businesses asking for? “It's a mixed bag,” said Bannon. “But it's predominantly leaning towards a general awareness of and confusion about what exactly cyber risk means. Do you have a good state of preparedness for when you are attacked or if you are the victim of a stock extortion ransom demand? Can you get your data back to all? Can you recover those backups to get your your system back up and running quickly?”
Of course, cyber risk means different things to different people. “I guess the most important part is really being able to identify where you have risk and what that means for your business. And if we can identify where that risk is and what it looks like, we can start to then begin the next phase of understanding well what can we do to address that risk. Insurance has a very important role to play in transferring that risk out of organizations and small businesses into insurance products,” concluded Bannon.
ButDaragh O’Brien, managing director of Castlebridge Associates, has a different perspective: “In my cynical view, if I was asked to come up with a product or an industry that insurers would never have to pay out on, cyber insurance is probably that product,” he said. “But it's a trend. Even in Castlebridge, we're increasingly seeing our clients requesting that we have cyber security insurance, even in circumstances where we're actually not we're not touching data, we still need to have insurance,” he said.
“Furthermore, privacy professionals need to be aware of the nature of cover. In terms of cyber security insurance, it's worth remembering that all insurance is based on you doing things the way you told your insurer you would. So if you deviate from policies or procedures in any shape or form, it gives the insurer grounds to not pay. And we've seen a number of cases in the U.S. where insurers have not paid out on cybersecurity insurance because the people who hold the breach haven't followed their procedures,” continued O’Brien.
The other aspect is insurance for data protection officers, explained O’Brien. “We have not been able to get insurance to act as a DPO. Our underwriter says it's an uninsurable risk and therefore won't provide insurance. Despite the fact that as a DPO we're actually indemnified in the legislation. So that's something data protection professionals need to be aware of and their clients need to be aware of. But as with all things in an insurance context, the quality and adequacy of your cover comes down to how you're managing and mitigating the risk.”
Hogan Lovells privacy lead, Eduardo Ustaran, summed up the current landscape: “Data breach insurance is far from being a magical solution to a rapidly increasing problem. It may be a useful tool as part of the damage limitation strategy, but it does not address all of the consequences of data security incidents, let alone the fundamental requirement to keep data safe. This is a relatively new market and as such, it is bound to evolve significantly before it becomes mainstream.”