Over the summer and continuing, UMAL has seen an increased frequency of reports from its Members who have been caught up in adverse cyber-events.
These events can result in unwanted consequences on several fronts:
- Significant disruption to our Members’ activities
- The risk of compensation claims from data-subjects who have had their data infringed, sometimes numbering hundreds and even thousands of potential data-subjects involved in a single cyber-event
- Significant fines
Consistent with what we have seen, it has been widely reported that cyber-crime is on the increase with even further momentum added by the Covid-19 pandemic with cyber criminals attempting to exploit increased network vulnerability created by employees working from home. The US FBI has stated they have seen a tripling in the number of reported cybercrimes since the outbreak of the pandemic.
Disruption to Members’ Activities
Following a cyber-attack significant costs and disruption may result including:
- Identifying the nature and extent of the attack and possibly terminating an ongoing attack
- Devotion of own management and IT resources to managing the attack and its consequences
- Engagement of external experts and consultants
- If involving a ransom attack, dealing with those responsible for the attack
- Time and expense involved in advising data-subjects of the breach and dealing with their subsequent concerns, questions and complaints
- Public relations expenses in managing reputational damage
- Management time and legal costs involved in reporting to and subsequently dealing with supervisory authorities
Many of these aspects can be covered under a focused cyber-insurance cover. Whilst those Members who have Property Damage cover with UMAL are afforded some cover under the Computerguard sub-section, this is not, nor is it intended to be, a comprehensive cover that will provide the levels of cover that Members may require following a cyber-event.
Data Breach Claims
Data subjects do not face a substantial hurdle in bringing claims for damages following an infringement of their data. UMAL’s Members are in the position of being data controllers for vast volumes of data. This can be data they process themselves or data processed for them by third-party organisations.
The combined effects of the General Data Protection Regulations and the Data Protection Act 2018 place a significant burden on data controllers and data processors to safeguard and legitimately handle personal data.
Whilst the GDPR provides a theoretical defence to compensation claims where a controller/processor can show the breach was not its responsibility, in practice it may be difficult to discharge what is a reverse burden of proof:
- There may a presumption that if a cyber-criminal has managed to successfully breach a Member’s cyber-security that the security measures, whether technical or organisational, were not at the required level
- Even if it is not a Member’s own network that has been breached but that of an independent processor, this may not be sufficient to avoid liability in the absence of (i) satisfactory due diligence procedures having been carried out, reviewed and maintained at appropriate intervals, and fully documented, and (ii) the contractual arrangements between the Member and its processors incorporating clear terms covering respective data protection responsibilities and indemnities. Often indemnities are set with very low limits that give little benefit to controllers when a processor is responsible for a breach.
The legal position set out should be noted to be in the context of many claims management companies and claimant solicitor firms actively targeting and farming claims following identified data breaches, as they often see these claims as relatively easy to successfully prosecute (data-subjects can currently recover damages for a ‘loss of control’ of their personal data with compensation increasing for distress particularly where special category or sensitive data may have been compromised). In addition, claimant solicitors can often recover relatively generous legal costs from defendants, as there are currently no fixed costs applicable to these claims unlike low value personal injury claims.
Those Members with liability covers with UMAL will have protection against their legal liability for damages and claimant legal costs arising from data breaches, as set out in the wording.
GDPR provides for fines of up to the higher of EUR€20million (approximately £18million) or 4% of global turnover. These are not covered by UMAL nor can they be covered by an insurance policy. Within the last few weeks we have seen British Airways fined £20million for a data breach, this may have been higher had their revenues not been adversely affected by the pandemic.
- Careful attention should be given to compliance with the provisions of the GDPR and Data Protection Act
- Sufficient technical and organisational measures must be taken and maintained to avoid as far as is possible successful cyber-attacks and data protection breaches
- If using the services of a data processor, ensure that due diligence is carried out and revisited covering the data processor’s compliance with GDPR/data protection legislation, that responsibilities are contractually documented and that adequate indemnities are in force and also contractually documented.
- Carefully consider the need for and organise specialist cyber-insurance cover.