The increasing sophistication of cyber criminals, and the potentially significant implications for a data breach, mean that cyber insurance is an increasingly sought after product.
However, the extent to which insurance for cyber liability will provide the cover that is required is yet to be tested.
A cyber breach can have both first party and third party implications. The first party implications include business interruption, reputation management, the costs for restoring the data, and property damage where the cyber attack has led to physical damage. These are familiar insurance concepts, and it is anticipated that existing methods of calculating, say, a claim for business interruption, can be applied to business interruption as a result of a cyber breach.
Similarly, the payment of defence costs following a third party claim and settlement payments made following a data breach should also follow familiar principles. That it is possible for a claimant to recover damages for data breach on the basis of distress where there has been no financial loss was confirmed in Google Inc v Vidal-Hall and others. (See also Representative Claimants v MGN Ltd.)
Insurability of GDPR fines
An area of some uncertainty, however, is the extent to which the General Data Protection Regulation (GDPR) fines can be insured against.
The GDPR (Regulation 2016/679) takes effect from 25 May 2018. A breach of the regulation can lead to significant fines, the maximum being the greater of four percent of global turnover or EUR 20 million. Article 83 of the GDPR sets out the factors to be taken into consideration when determining the level of the fine. This is a significant increase to the previous maximum fine of £500,000, provided for in the Data Protection Act 1998.
This has focussed the minds of corporates on the potential consequences of a data breach, how it could affect the bottom line and what can be done about the risk, in other words, are such fines insurable?
Ex turpi causa
A policyholder cannot recover under a policy of insurance in respect of a loss intentionally caused by its own criminal or tortious act (Beresford v Royal Insurance Co). The ex turpi causa principle, that a claimant cannot pursue a legal remedy for loss in connection with its own illegal act, applies to criminal acts and acts which are of a “quasi criminal” nature, as they engage the public interest in the same way.
Safeway v Twigger concerned a £10.7 million fine imposed on Safeway by the Office of Fair Trading for fixing the price of milk. Safeway sought to recover these monies from the directors in place when the price fixing took place. The court would not let Safeway recover from the directors. The court took the view that the provisions under which the fine was levied held Safeway “personally” responsible for the price fixing. The purpose of the fine, therefore, was to punish Safeway. Allowing it to pass the fine on to the directors would have allowed Safeway to escape responsibility for its own illegal act, something that the ex turpi causa principle would not countenance. The fine was imposed upon Safeway, and, in accordance with the ex turpi cause principle, they could not avoid its consequences.
The position is less clear, however, in situations where there is no moral culpability. For instance, in a case of strict liability.
The question is the extent to which recoverability of GDPR fines will be deemed to be contrary to public policy such that they should not be recoverable under cyber policies.
The purpose of the regulations is to ensure that data processors have sufficient systems in place to prevent data breaches. Article 84 of the GDPR provides that the fines are to be “effective, proportionate and dissuasive”. Arguably, a failure to prevent the breach imposes on the insured sufficient moral blame to prevent a recovery, and the fines are unlikely to have much “dissuasive” effect if they can simply be passed on to insurers.
However, should a data processor not be able to recover the penalty imposed upon it where it is itself the victim of a cyber hack?
It may come down to the reasons for the breach. It would seem unfair if a policyholder who had invested in state of the art protection software could not recover following a breach it could not avoid.
However, if the policyholder chose to cut corners and left their system open to criminals, it is arguable the ex turpi causa principle should prevent a recovery.
With the new GDPR in force from 25 May 2018, it is likely to be only a matter of time before we obtain more guidance on this issue. Until then, we anticipate that cover will be sold subject to the caveat that it is “insurable at law”.