Data subject insurance claims are ‘sting in the tail’ for corporate cyber breach victims

Data subject claims – made by individuals whose data has been compromised following a corporate insured experiencing a data breach – is “effectively becoming the new PPI”, often acting as a “sting in the tail” for organisations attempting to recover after a cyber attack.

Tom Pelham, a partner specialising in cyber breach responses at law firm Kennedys, told Insurance Times that although these claims against insureds are usually “low level”, the “huge uptick” in volume could see businesses facing a hefty exposure.

He explained: “One of the trends that we’re seeing is a rise in data subject claims. These are the claims by the data subjects that have had their data compromised in some way on the back of being told that they’ve been breached. There are rights within GDPR and other legislation to allow data subjects to pursue claims against those who are responsible for the breaches.

“Often it’s the sting in the tail for those who have gone through a very corporately traumatic event; you get yourself back on your feet after several weeks of corporate downtime and then all of a sudden you face a wave of claims from data subjects who are pursuing damages claims either for distress and inconvenience and anxiety, or for loss of control of data.

“In the UK, it’s effectively becoming the new PPI. We’re seeing a huge uptick in that kind of activity.

“The damages that have been sought are really low level in the grand scheme of things, but you only need 100,000 people to start coming after you for low level damages and suddenly you’re talking about £10m, £20m, £30m in exposure. A lot of the insureds are waking up to this long-tail risk of data subject claims down the line.”

Although data subject claims were able to be pursued prior to the introduction of the European Union’s General Data Protection Regulation (GDPR) in May 2018, this legislation acted as an eye-opener for many individuals around their data rights.

“What we’ve seen after GDPR is more of a public awareness about data rights and also [a] more aggressive appetite by the claimant solicitor community to look at ways of bringing group actions,” Pelham added.

Group action take up

Furthermore, Pelham cited the ongoing Lloyd v Google data breach legal case. The Court of Appeal here ruled that in data breach situations, data subjects can pursue claims for the loss of control of data – to be successful, they just need to demonstrate that their sensitive data has been compromised in some way. Factors such as stress or inconvenience, for example, do not need to be proven.

The Court of Appeal added that the UK courts would also entertain the idea of adopting a US style ‘opt out’ legislation for data subject claims, whereby all claimants are automatically included in legal action – currently, subject to the Supreme Court decision, data subjects need to opt in to group action activity around data breaches.

This switch in stance “could dramatically change the dynamic of these kinds of claims”, Pelham said, as the take up rate could escalate dramatically.

Ransomware trends

Pelham additionally noted that there has been a recent “surge” in data breaches, mainly through the use of ransomware – Kennedys, for example, usually deals with around five or six data breaches in one week.

However, it is not the frequency of cyber attacks that is concerning Pelham, but the “really worrying trend in the sophistication of breaches”. He said this has been particularly influenced by organised criminals becoming more involved in online crimes over the last year, using aggressive methods such as data exfiltration alongside typical ransomware approaches – this is showing no signs of slowing down, he added.