Recently published research by the security software company Egress has revealed that an overwhelming 90% of security leaders are concerned about group legal settlements following a serious data breach, compared to 85% who are worried about regulatory fines.
The research also found that almost half (47%) of consumers would likely join a class-action lawsuit against an organisation that had leaked their data, proving security leaders’ fears to be accurate.
In response, 91% of security leaders are turning to cyber insurance to protect themselves from financial exposure by either taking out new policies or increasing their cover because of General Data Protection Regulation (GDPR).
The survey, independently conducted by OnePoll on behalf of Egress, interviewed 250 security leaders and DPOs in the UK and 2,000 UK consumers.
The key insights taken from this survey include:
- 90% of security leaders are concerned about class action by data subjects in the event of a serious data breach, whereas 85% are concerned about regulatory fines
- Almost half (47%) of UK consumers say they’d join a class-action lawsuit against an organisation that had leaked their data – 91% of security leaders reported taking out cyber insurance, or upgrading their policy, as a result of GDPR
- 67% of UK consumers are aware that they have the right to take legal action against an organisation that suffers a breach that exposes their personal data
“The financial cost of a data breach has always driven discussion around GDPR – and initially, it was thought hefty regulatory fines would do the most damage. But the widely unforeseen consequences of class action lawsuits and independent litigation are now dominating the conversation,” comments Egress CEO Tony Pepper. “Organisations can challenge the ICO’s intention to fine to reduce the price tag, and over the last year, the ICO has shown leniency towards pandemic-hit businesses, such as British Airways, letting them off with greatly reduced fines that have been seen by many as merely a slap on the wrist. With data subjects highly aware of their rights and lawsuits potentially becoming ‘opt-out’ for those affected in future, security leaders are right to be nervous about the financial impacts of litigation.”
Lisa Forte, Partner at Red Goat Cyber Security LLP, added “The greatest financial risk post-breach no longer sits with the regulatory fines that could be issued. Lawsuits are now commonplace and could equal the writing of a blank cheque if your data is compromised. European countries haven’t typically subscribed to a litigious way of regulating the behaviour of companies. That is now changing and without explicit Government intervention companies will need to accept they need deeper pockets to cover the lawsuit gold rush we are starting to see.”
“The recent Google case that currently sits with the UK Supreme Court could make group claims ‘opt-out’ instead of ‘opt-in’,” continues Lisa. “That will inevitably mean that every single customer affected would be entered into the group action. That should be a huge worry for companies, who need to really prioritise preventative measures both technical and human and have a tested incident plan in place.”
Eric Bedell, Chief Privacy Officer, Luxembourg’s DPO of the Year 2020, comments “When enforced back in 2018, GDPR set the tone of how use of personal data should be regulated. When regulatory fines have been in the news (and often used as a trigger for GDPR implementation), there is a lesser-known aspect: the right to take legal action against an organisation, not only for data breaches, but also for failure to erase personal data, to rectify, to respond to Data Subject Access Requests (DSARs) or to provide portable information.”
Eric continues “If in the United States, under CCPA, we have seen many actions, in Europe this is not (yet) widely used. However, I predict that this will grow as this right to take legal action becomes more popular – especially knowing that the ICO publishes a web page to provide guidance for data subjects taking such action. As a firm this is a risk you want to consider, maybe more than regulatory fines, in my view.”
Edina Csics, GDPR & Data Protection Consultant at GIS-Consulting BVBA, comments “While cyber insurance might cover the financial damage caused by a data breach, it won’t help recover any reputational damage done. I hope that the 91% of respondents that have changed their cyber-insurance policies in response to GDPR have also considered doing the right thing by putting more serious measures in place than click-through employee security training and remediating their loosely implemented security technologies in addition to, and not instead of, taking out cyber-insurance. Data breaches do occur, and it’s a matter of when and not if, but in many cases these could be prevented.
But whatever their motivation, be it fearing collective lawsuits or regulatory fines, in taking steps to avoid financial damage, their actions may play in favor of consumers and the protection of their data.
Having said that, looking at the past activity of the ICO and its enforcement habits, I am inclined to understand why security leaders are more worried about the actions of those who are directly impacted – the data subjects whose personal data is subject to their not-quite watertight security measures – and those data protection activists that have an even higher drive to prove that there is more organisations can do to guard personal data.”