ICO’s proposed largest ever fine of £183 million against BA prompts the question: can you insure penalties imposed for breach of GDPR?

The UK’s data protection authority, the ICO, has announced twice in two days this week that it proposes to levy significant fines on organisations for breaches of the General Data Protection Regulation (GDPR), which took effect in May 2018. First it announced that it intends to fine British Airways some £183 million for a data breach in 2018 that affected 500,000 customers (see our Data Blog here for more details). The following day it announced that it proposed to fine Marriott hotels group nearly £100 million, again for a data breach that affected customers (see our Data Blog here for more details). Both BA and Marriot may make representations to the ICO before final decisions are taken. These proposed fines dwarf previous fines issued by the ICO which were capped at £500,000 under the old privacy regime.

Until now the business world has been waiting to see how the ICO would use its powers under the new GDPR regime. Under the regime, the ICO can now impose a broader range of significant civil penalties for data protection breaches than was previously possible. This includes penalties of up to €20 million or 4% of a company’s global annual turnover, as well as potentially ordering companies to stop processing personal data altogether. The ICO is clearly now baring its teeth.

Insurance

One issue that companies in the position of BA or Marriott might be considering is whether an ICO fine is covered by any insurance they have. That might shine a light on an unresolved issue namely whether the fines that the ICO can now impose under the new GDPR regime are insurable.

Many insurance policies provide insurance coverage for civil fines to the extent permitted by law. However, what is permitted or prohibited by law is something of a vexed question. The GDPR says nothing about whether such coverage is permitted or prohibited and the ICO has said that it is not aware whether insurance is available for any fines it may impose. Under English law, it is therefore necessary to look to the general principles of the common law.

It is generally accepted that under common law a fine for deliberate, criminal or quasi-criminal conduct is uninsurable (save potentially in respect of strict liability offences). But there is a debate within the insurance market as to whether ICO fines for less serious conduct are insurable. In January 2019 the Global Federation of Insurance Associations called for clarity from the Organisation for Economic Cooperation and Development (OECD) regarding the insurability of fines and penalties following privacy breaches. The OECD’s insurance and private pensions committee is considering the issue.

What is the test to be applied?

Until the issue of insurability of GDPR fines is resolved by policymakers or the courts, the debate will continue. But policyholders and insurers want to know now what the answer might be. What then does the answer turn upon and what guidance might be provided at this stage?

The relevant legal principle in issue is the illegality defence, also known as the “ex turpi causa” doctrine. It prevents a legal right of action from being enforced by the courts when it is founded on “immoral or illegal” conduct. It is directed at both criminal and quasi-criminal conduct. The rationale behind the defence is that it would be contrary to the public interest to enforce a claim if to do so would be harmful to the integrity of the legal system. As such, the issue is whether an insurer is entitled to rely on this defence, and refuse cover, in response to an insured’s claim for indemnity for an ICO fine.

There has been considerable debate in the courts and amongst legal academics as to how precisely the defence should be applied. Guidance as to some of the factors that will be considered can be drawn from the following cases:

  • In Safeway v Twigger, the judge at first instance determined that anti-competitive acts in breach of the Competition Act 1998 involved the necessary element of moral reprehensibility and were sufficiently serious to engage the illegality defence (this was not disputed by the parties on appeal). In reaching that conclusion he took into account the “quasi-criminal” nature, characteristics and purpose of the penalty imposed, including that a heightened civil standard of proof was applied to serious cases and that for the purposes of the right to a fair trial under the European Convention for the Protection of Human Rights, Competition Appeal Tribunal proceedings are regarded as involving a “criminal charge”.
  • In Les Laboratoires Servier, the Supreme Court explained that the illegality defence was concerned with acts which were contrary to the public law of the state and which engaged the public interest. These included “quasi-criminal” acts which infringed statutory rules enacted for the protection of the public interest and which attracted civil sanctions of a penal character.
  • Most recently, in the case of Patel v Mirza, the Supreme Court made clear that even where conduct is “illegal” such that it falls within the remit of the illegality defence, the defence will only be successful if the court considers that it would be in the public interest to allow the defence. The following factors ought be considered:
    • the underlying purpose of the prohibition which has been transgressed;
    • any other relevant public policies which may be rendered less effective by denial of the claim; and
    • whether upholding the defence would be a proportionate response to the illegality, bearing in mind the seriousness of the conduct, its centrality to the contract and whether it was intentional.

What is the answer likely to be in respect of ICO penalties for non-intentional conduct?

The types of behaviour which may lead to penalties under the GDPR are many and varied, ranging from failure to maintain a record of processing activities to failure to comply with any of the key principles underpinning the GDPR itself.

Given the spectrum of behaviours that can give rise to a penalty, it is difficult to conclude in general terms based on the case law to-date how the illegality defence will apply to ICO penalties. This is because the criteria determining the application of the defence are closely tied to factors such as the purpose of the provision which has been transgressed and the seriousness of conduct.

There are some features of ICO penalties which may suggest that they are not insurable:

  • the GDPR arguably engages the public interest, its purpose being to protect individuals’ “fundamental rights” in relation to the processing of personal data;
  • the interests of public policy may dictate that companies in breach of the GDPR bear their own responsibility for the consequent penalties in order to dis-incentivise behaviour which would otherwise breach the regulations;
  • penalties (as opposed to compensation claims) under the GDPR are imposed directly on a company and are paid directly to the ICO rather than the person affected by a breach, which could indicate that the purpose of the penalty (as with a criminal fine) is to punish and deter rather than to compensate; and
  • the magnitude of the penalties that can be imposed could be said to imply the punitive and quasi-criminal nature of a penalty.

Conversely, however, there are features of ICO fines that suggest they should, in principle, be insurable in certain circumstances. Most significantly, the imposition of a fine for breach of the GDPR does not necessarily require intent and many offences are strict liability offences. It is not clear that the rationale in Safeway is directly analogous because the statute and relevant provisions are different. Case law suggests that the courts are reluctant to engage the illegality defence where an illegal action has been committed without intent (e.g. innocent conduct).

There are some compelling arguments, therefore, that the insurability of an ICO fine may turn on the nature of the GDPR provision that has been breached, and the behaviour that caused the breach, i.e. cases will be very fact specific.  The answer may be very different in respect of a fine levied in respect of an unintentional data breach where, for example, a company has fallen victim to a nation state attack, as compared to a fine levied for a company’s decision knowingly to process personal data of its customers without the necessary consent or other legitimate basis.

To the extent the ICO levies fines in relation to non-intentional and strict liability breaches, the courts may have significant reservations about determining that the illegality defence is engaged if they consider that the necessary element of moral reprehensibility is absent.

Conclusion

For the time being at least, the flexibility afforded to the courts by the current legal terrain means that it is difficult to predict precisely how they will respond to the question of the insurability of ICO fines but it may now only be a matter of time before the question comes before the courts or is resolved by policymakers. Even then, the answer may be highly fact specific – but that would nonetheless be a big step forward in advancing the debate. In the meantime, we would urge caution against the school of thought that treats all GDPR fines as uninsurable – they may be in some cases but there is a debate to be had.

Greig Anderson
Greig Anderson
Partner, London
+44 20 7466 2229
Antonia Pegden
Antonia Pegden
Senior Associate, London
+44 20 7466 2530
Sarah Irons
Sarah Irons
Professional Support Consultant, London
+44 20 7466 2060

Guideline on Cybersecurity for Hong Kong authorised insurers will come into effect on 1 January 2020

Last Friday, the Hong Kong Insurance Authority published its Guideline on Cybersecurity (GL 20) for authorised insurers.  GL 20 will take effect on 1 January 2020.

Cybersecurity is a global regulatory focus and a top priority area for the Insurance Authority, given the growing exposure to cyber risk as a result of increased digital connectivity.

Application

GL 20 applies to all authorised insurers (except for captive insurers and marine mutual insurers) in relation to the insurance business that they carry on in or from Hong Kong.

Objectives

GL 20 sets the minimum standards for cybersecurity that authorised insurers are expected to have in place, and the guiding principles which the Insurance Authority uses in assessing the effectiveness of insurers’ cybersecurity frameworks.

The guideline requires insurers to put in place resilient cybersecurity frameworks to protect their business data and the personal data of their existing or potential policyholders, and to ensure continuity of their business operations.

Key areas of focus

The guideline covers the following key areas:

  • Cybersecurity strategy and framework – This should be endorsed by the board of the authorised insurer, and be reviewed and updated regularly (such as on an annual basis, upon a cyber incident or a major system change) to ensure relevance.
  • Governance – The board of directors of an authorised insurer should hold overall responsibility for cybersecurity controls and ensure accountability within the insurer.  It should cultivate a strong level of awareness of and commitment to cybersecurity.
  • Risk identification, assessment and control – A cyber risk self-assessment tool should be put in place as part of an enterprise risk management program.
  • Continuous monitoring – An authorised insurer should establish systematic monitoring processes for early detection of cybersecurity incidents, regularly evaluate the effectiveness of internal controls and update the risk appetite and tolerance limit as appropriate.
  • Response and recovery – An insurer should develop a cybersecurity incident response plan, which should also include the criteria for the escalation of the response and recovery activities to the board or designated management team. Upon detection of a relevant incident, an insurer should report the incident and related information to the Insurance Authority as soon as practicable, and in any event no later than 72 hours from detection.
  • Information sharing and training – An insurer should establish a process to gather and analyse cyber risk information and participate in information sharing groups to enable it to respond to cyber incidents in an appropriate and timely manner. It should also arrange adequate training for all system users on cybersecurity awareness and latest developments.

William Hallatt
William Hallatt
Asia Head of Financial Services Regulatory, Hong Kong
+852 2101 4036
Gareth Thomas
Gareth Thomas
Partner, Hong Kong
+852 2101 4025
Hannah Cassidy
Hannah Cassidy
Partner, Hong Kong
+852 2101 4133

Cyber insurance: the impact of evolving legal and regulatory risk

Cyber insurance is still (just about) the new kid on the block. It is commonly thought of as a tool to mitigate exposure to ever-evolving cyber risks. That is right up to a point; but the increasing exposure of business to losses potentially covered by cyber insurance is, in our view, in material part driven by changes in the legal and regulatory risk environment.

It is helpful to start by understanding what cyber insurance does: it transfers to the insurance market some categories of loss resulting from cyber and data risks which may not be covered under other insurance products (although to some extent there may be overlap). These losses may include, for example, cyber incident response costs, data breach claims and business interruption losses caused by cyber incidents.

Cyber and data risk may be considered as part of the peril or event from which insurable losses may result. These are well understood to be quickly evolving risk. According to the 2019 edition of the World Economic Forum’s Global Risks Report, cyber-attacks and data fraud are two of the top five risks that respondents identified as most likely to occur.

But the way in which a cyber and data risk translates into loss for a business, particularly for liabilities, fines and costs, is heavily impacted by the legal and regulatory environment. Recent developments include:

  • the UK Court of Appeal’s decision in the first data breach class action (WM Morrisons Supermarket Plc v Various Claimants [2018]) to uphold the finding of the High Court that an employer can be vicariously liable for an employee’s data breach even when the employer was not at fault. In response to an argument put forward by Morrisons that public policy considerations militate against imposing a disproportionate burden on an employer, the Court of Appeal’s response was that “the solution is to insure against such catastrophes; and employers can likewise insure against losses caused by dishonest or malicious employees“;
  • the well-publicised General Data Protection Regulation (GDPR); and
  • the implementation in national law of the Network and Information Security Directive (Cyber Security Directive).

From an insurance perspective each of these developments carries significant potential exposures for businesses and, by corollary, insurers. The decision in Morrisons (which Morrisons is seeking permission to appeal to the Supreme Court) deals with liability and not with quantum. However, the data of almost 100,000 employees leaked and any awarded compensation, including distress based damages, will likely be considerable. A breach of the GDPR can lead to fines of up to the higher of EUR 20 million or 4% of global turnover; and similarly a breach of the Cyber Security Directive can lead to fines of up to £17 million.

There are also legal risks regarding the scope of what is insurable. Cyber insurance policies tend to provide cover for fines “to the extent insurable by law“. However, there is some uncertainty as to whether or to what extent some fines are insurable as a matter of English law. PRA/FCA fines are uninsurable; but whether GDPR or Cyber Security Directive fines are insurable turns broadly upon the application of the so-called illegality defence (i.e. the ex turpi causa doctrine) or, put another way, whether the basis of the fine may be considered quasi-criminal. By way of analogy, in the case of Safeway v Twigger the UK courts determined that a penalty for anti-competitive practices in breach of the Competition Act was not recoverable on these grounds. In the case of GDPR fines, it must be highly doubtful that fines for fraudulent conduct are insurable; but there is a debate to be had in relation to the insurability of fines for innocent or negligent behaviour, including whether it is correct to determine insurability by reference to conduct on a case by case basis. In January 2019 the Global Federation of Insurance Associations called for clarity from the Organisation for Economic Cooperation and Development (OECD) regarding the insurability of fines and penalties following privacy breaches. The OECD’s insurance and private pensions committee is considering the issue. Until these issues are resolved, we are left with the unsatisfactory position that policyholders cannot count on coverage for fines and, conversely, insurers may be exposed to them if they have agreed to underwrite that risk.

These legal and regulatory issues drive exposure to underlying loss, and the extent of coverage, in tandem with evolving cyber and data risk. In the meantime, the insurance market is responding with innovative insurance products aimed at mapping and mitigating risk. By way of example, some insurers are partnering with cyber security companies to offer cover in tandem with advice on cyber security and GDPR compliance policies, or to measure objectively and score the insured’s network’s resilience to evaluate the insurer’s risk. These types of products may become more widespread as a means for insurers to assess, control and manage their exposure to legal and regulatory risks in the cyber and data sphere.

Greig Anderson
Greig Anderson
Partner, London
+44 20 7466 2229
Sarah Irons
Sarah Irons
Professional Support Consultant, London
+44 20 7466 2060
Rachelle Waxman
Rachelle Waxman
Associate, London
+44 20 7466 2400

EIOPA Conference: The Main Themes

Three of the themes that EIOPA sees as its priorities were covered at its annual conference on 20 November. All of the topics were the subject of frank and spirited debate, with a range of different views being represented in the panel discussions.

EIOPA should be commended for encouraging views that were contrary to its own to be expressed, an approach which made for a worthwhile and balanced discussion of the topics.

Continue reading

Coverage for ‘Doomsday or Armageddon’ data breach class actions: insurance implications of the Court of Appeal’s decision to confirm Morrisons’ vicarious liability for employee’s deliberate actions

In the recent judgment in Wm Morrisons Supermarkets Plc v Various Claimants [2018] EWCA Civ 233 the Court of Appeal has dismissed an appeal against the High Court’s decision that Morrisons was vicariously liable for its employee’s misuse of data, despite: (i) Morrisons having done as much as it reasonably could to prevent the misuse; and (ii) the employee’s intention being to cause reputational or financial damage to Morrisons itself. It is understood that Morrisons intends to appeal to the Supreme Court. Our full analysis of the Court of Appeal’s decision can be found here.

Companies now find themselves exposed to potential UK data breach class action claims, including for distress-based damages, based on vicarious liability, even if they have appropriate safeguards in place and even if they are the intended victim of the breach. Day by day businesses find themselves responsible for higher volumes of personal data; and the risk of data breach claims is exacerbated by the legislative changes made by the GDPR, increasing public awareness of data protection issues and the publicity that this case has attracted. In addition, the facts of Morrisons were such that the company had been found not to be in breach of data protection laws. Future class action claims may be even easier to launch in circumstances where a company has been found to breach the GDPR, for example, by not having appropriate security measures in place. It is understood that Morrisons intends to appeal to the Supreme Court.

Continue reading

CYBER INSURANCE REQUIREMENTS IN COMMERCIAL CONTRACTS: GETTING IT RIGHT

Cyber incidents have the capacity to cause many different types of loss.  Insurance coverage exists for at least some aspects of cyber risks in the UK market.  However, given the range and diversity of risks that may arise, there are some key issues for businesses to consider when it comes to insurance against cyber risks in commercial contracts.  Click here to read an article on these issues by Sarah McNally and Andrew Moir that was first published in the December 2017 issue of PLC magazine.

Sarah McNally
Sarah McNally
Partner, London
+44 20 7466 2872
Andrew Moir
Andrew Moir
Partner, London
+44 20 7466 2773

Mitigating cyber security exposures: Risk transfer through cyber insurance

Now may be the time to review your cyber risk mitigation strategy and give serious consideration to whether the financial cost of cyber attacks could be transferred to insurers at a fair price.

Cyber security is amongst the leading risks for organisations around the globe. In the last few years most organisations have suffered cyber attacks of some sort and a series of notable breaches have received heavy media coverage and regulatory scrutiny. Breaches damage not only organisations but also their customers. 

Governments have started to wake-up to the potential national security and economic impact of cyber attacks, and legislative change is afoot in a number of jurisdictions. 

To date relatively few organisations (outside the US) have purchased standalone cyber insurance policies. That appears about to change. 

Continue reading