The regulator’s penalties for data breaches are stiff, but a bigger problem could be an avalanche of claims from clients for data mis-handling
The developing Facebook/Cambridge Analytica scandal has shown how easy it is for firms to lose control of customer data, and how easily it can be misused.
Under the new regulations coming into force in May, the consequences for firms of that kind of data mishandling are potentially devastating. And that’s not just at the hands of the regulator, but also from customers aggrieved at how their data has been misused.
A lot of attention has focused on the fines and penalties for firms who fail to report data breaches or cyber attacks within 72 hours.
Fines for non-compliance could be up to 4% of total annual turnover or €20m, whichever is higher.
But claims for misuse of data from individual customers could pose a greater threat to insurance companies and other data-rich financial service providers.
Independent insurtech company Auger believes GDPR could be the new PPI in terms of claims for misuse of customer data.
Customers will be entitled to ask insurers to delete their personal data where it is no longer required for its original purpose, or where they have withdrawn their consent. Under GDPR, insurance customers can request for their personal data to be transferred to a competitor.
Auger’s head of technology Neil Wilks, warns that people who suspect insurance companies may be storing or processing data illegally will almost certainly be encouraged to pursue a claim in much the same way as PPI claims.
“For the insurance industry, GDPR is a big shake-up, and will cause significant disruption to how insurers store, manage and process personal data. They could find themselves on the wrong end of various legal scenarios if they don’t put their house in order,” he says.
“They will face claims cases that are genuine where there has been negligence and damaging effects of misuse by the company of an individual’s data, and there will also be the no-win no-fee scenario.
“The ‘ambulance chasers’ will want to maximise it just as many have done with PPI.”
PPI claims cost the banking industry around £30m-£50m a year and that GDPR could show similar figures if companies are not prepared for the changes when they come in, Wilks cautions.
“As insurance companies often both control and process data they need to be fully prepared for the new rules to come into effect,” he says.
Auger’s warning echoes statements last November from law firm DAC Beachcroft, which said that a torrent of claims across Europe is “likely” from 25 May, when the new regulations come in.
“If there is one finding I would highlight over others, it’s that over 80% of jurisdictions expected compensation claims for data protection breaches to increase under the GDPR,” explains DAC Beachcroft partner and head of cyber and data risk, Hans Allnut.
“While the fines and penalties under the GDPR have quite rightly grabbed the headlines, what might not be appreciated is the incoming wave of litigation that organisations face if they are found to contravene the GDPR’s new rules,” says DAC Beachcroft partner and head of professional risk, Patrick Hill.
End of financial loss rule
Until recently it wasn’t possible to claim damages for a data breach under English l aw unless there had been a financial loss suffered, but a recent ruling in a case involving the Morrisons supermarket chain means that that financial loss no longer needs to be established before a claim can be made.
Disgruntled Morrisons employee Andrew Skelton posted payroll data of nearly 100,000 staff in 2014 – national insurance numbers, account data, dates of birth, salary and contact numbers. He was convicted in a criminal case and sentenced to eight years in prison, but that was followed by a civil case against Morrisons filed by 5,518 current and former staff. The UK’s High Court found the supermarket liable, meaning thousands of staff are in line for compensation.
“Morrisons said they did all they could in mitigation,” says Ann Bevitt, a partner and data protection and employment law specialist at law firm Cooley.
“It’s very hard to deal with a rogue employee like that. The court had sympathy but still found Morrisons vicariously liable. The risks are going to be much increased under GDPR and you’re never going to be 100% secure,” she says.
“It may mean establishing different processes and using different technologies. Companies may need to work remotely in a much more compliant way than they have been.”
DAC Beachcroft’s Hill points out that potentially 100,000 people could have sued Morrisons, at a cost per litigant of up to £20,000.
“That is suddenly a major claim,” he says, adding that, however “eye-watering” the GDPR fines may be, “It will be those compensation claims, rather than the fines and penalties, that are of real concern under GDPR.”
Not everyone is so alarmed about the litigation risk, however.
Ash Patel, technical director at RWA Consultancy who gave a presentation at the Insurance Times Cyber Insight conference last November, now says that most companies have made big strides in the past few months to be ready, and is more sanguine about the prospect for claims.
“We are in a much better place than we were in November. In the past couple of months, we have seen a surge in activity by most of the companies we work with,” he says.
“I don’t think we will see claims relating to GDPR on the same scale as we did for PPI.”
Patel doesn’t think it will be as big of an issue as Auger fears, saying ”There will be slippage but generally, there is good progress. There will be a period where companies are still getting used to the changes, but I don’t think it will be too long.”
And even if there is a cause for a claim, Patel thinks the likelihood of a claim going to court is minimal.
“I think it will be very hard for the man in the street to bring a claim. Unless there is blatant negligence or a breach of their duties,” he said
“And if there is cause for a claim, we won’t see anything until the tail-end of the year.”
With businesses facing constant risk of cyber-attack, hacking of their systems, data losses, lost laptops, insider and outsider frauds – it seems likely there will be plenty of breaches. Better to show some reasonable steps to compliance, then, before something bad happens.
“Demonstrating compliance is generally speaking one way of defending yourself – showing that you have taken steps to comply, such as by doing a data audit to ensure you have the right record keeping in place,” says Sarah Pearce, a partner who focuses on data protection and technology transactions at legal firm Cooley.
It seems many firms remain unaware or naïve about the impact GDPR could have on their business, with lax data governance less of an exception than the norm.
“Most companies don’t police what their employees do with personal data as closely as they should, even under the existing regime,” says Ann Bevitt, a partner and data protection and employment law specialist at Cooley
“GDPR puts heightened regulation on employers relating to employees’ use of personal data.”
Employees keeping client or third-party data on memory sticks, company or personal email accounts, personal or work laptops leads to a potential governance nightmare. What to do?
Training is crucial, stresses Pearce. “It’s about training employees what’s okay and what they might be doing is risky. It’s particularly important to look at the way you do it across the company,” she says. “That means gearing training internally to different teams. So, the IT teams should have that training about how to treat data securely from the outset - privacy by default needs to be brought home.”
That should be built on top of the generic GDPR training for the whole staff, according to Bevitt, while not forgetting to include those who might not be on the internal lists: interns, contractors or consultants with access to personal data.
“Everyone should have a general awareness of rights and responsibilities,” she says. “Other specific teams needing different training include human resources and service support, who will be on the receiving end, for example, of recognising customer requests for the right to be forgotten, and passing them on appropriately.”
Ultimately, firms’ compliance efforts will be limited by common sense – they need to stay competitive and avoid prohibitive costs.
“Reasonable compliance will likely mean to have done all that is possible while remaining commercially sensible,” says Pearce. “But of course, it remains to be seen how the regulators will react.”
Cyber selling opportunities
According to DAC Beachcroft’s Hill, the increased threat of legal action and the accompanying compensation claims can be used to drive up sales of cyber insurance and help the market mature into an established field of insurance.
“If I was a broker I would be asking my clients how they would deal with the after effects of an incident such as this,” he says. “There is a huge potential for cyber insurance – the market is competitive, and most providers see cyber insurance as a major growth area.
“We will see a lot of competition around price, and the cover will be fairly broad in nature and then the market will correct itself naturally as claims calm down, and then we will see more tailoring of policies.”