Banking and finance dispute resolution
For the latest news and comment on banking and finance disputes.
For the latest news and comment on banking and finance disputes.
For all the latest news and comment in clinical negligence healthcare law
This collection looks at the latest news and comment on commercial contracting healthcare law. With the health and social care sector under…
For all the latest news and comment in employment and pensions healthcare law
For all the latest legal and regulatory news and comment in health technology
This collection contains DAC B eachcroft's latest report, The Route to Integrated Healthcare , which provides the first practical examples of how…
This collection looks at the latest strategic, commercial, regulatory and negligence legal and advisory news and comment in health and social care. …
For all the latest news and comment on employment and pensions law.
DAC Beachcroft Dublin specialises in insurance, professional indemnity, defendant personal injury, health, commercial litigation and employment work.…
For all the latest new and comment in tax law.
The GC Collective collection offers insight and comment for General Counsels (GCs) and in-house legal teams.
For the latest news and comment on Corporate, M&A and Equity Capital Markets.
Analysis, commentary and checklists on the legal and governance implications of Brexit on businesses operating in, and trading with, the UK
The Accountant's Liability Collection brings you topical news and insight of interest to accountants, actuaries, trustees and other financial…
Events and online training for the health and social care sector.
DAC Beachcroft's LatAm Quarterly Newsletter discusses topical news and issues in Latin America
In response to client suggestions and requests, DAC Beachcroft's insurance sector flagship publication.
For all the latest legal and regulatory news and comment in health and social care integration
For all the latest news and comment in corporate regulatory healthcare law
Find advice, commentary and thought leadership on all aspects of Director's & Officer's Insurance; from contract formation through to complex…
This collection looks at the latest news, comment and development on the law affecting mental health services. The law affecting mental health…
Our market-leading Information Law team regularly publish articles and updates addressing the ever-evolving Information Law landscape.
This collection looks at our Safety, Health and Environment Team and the products and services they can provide. In the climate of increased…
The Insurance Act 2015 comes into force in August 2016 and will represent a significant change to insurance contract law in this country. This…
Legislative changes are bringing major changes to the Insurance landscape. This collection houses DAC Beachcroft's alerts on the pertinent issues.
For all the latest news and comment in clinical regulatory healthcare law
Organisations face ever-increasing expectations from Government, regulators, customers or service users, and other stakeholders, so scrutiny and…
For all the latest legal and regulatory news and comment in healthcare estates and facilities management
This collection addresses the full spectrum of cyber security and data risk management – the zeitgeist of our age.
We have acted for clients in the majority of significant product liability cases that have been decided in the UK over the last 35 years. Our product…
Considering the future landscapes of our cities
The European General Data Protection Regulation (GDPR) came into force on 25 May 2016. A rewrite of European data protection law, the GDPR imposes…
Considering the future of housing
For the latest news and comment on public procurement law.
Welcome to the Construction Risks collection. This space is used to report upon issues of interest to those who seek to allocate, manage and reduce…
Technology, brands and intellectual capital are key assets for any successful business. Our intellectual property (IP) team are experts at helping…
Considering the future of retail
The Insurance Market Conditions and Trends report is DAC Beachcroft's insurance sector flagship publication. Now in its tenth year, the report…
The Solicitors' Risk Collection addresses issues and developments affecting legal practitioners, and the professional indemnity insurers of legal…
Published On: 23 June 2015
In March 2015, the Court of Appeal confirmed Ms Vidal-Hall's and two claimants' right to sue Google for compensation for distress caused by Google's allegedly secret tracking of their online browsing activity. In doing so, the Court rejected Google's appeal of the Court's first instance decision and declared that the "misuse of private information" is a tort for the purposes of suing companies outside of the UK.
Compensation for distress caused by data breaches is governed by section 13 of the Data Protection Act 1998 ("DPA"). Before this case, claimants had to prove some direct financial loss before they could claim compensation for distress. The Court of Appeal's decision endorses the first instance judge's view that claimants should not be restricted in this way, and should be able to claim compensation for moral damage caused by a breach of the DPA without needing to prove pecuniary loss.
Although the substantive claim has yet to be heard, regardless of the outcome, this decision has already established new law in the UK.
This case demonstrates that companies are likely to face increased liability and claims for breaches of data protection and security laws, which most cyber risk insurance policies are designed to indemnify. However, the decision should also act as a caution to D&O insurers.
Under the DPA, duties are owed by the "Data Controller" to the living individuals to whom personal data relates. Directors are not typically "Data Controllers" in their own right (Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd & 6 others ) and therefore this case does not create a new "cause of action" for a data breach victim to pursue a director.
However, given that data security and compliance with regulatory obligations is increasingly becoming a board responsibility, directors who fail to prevent a company from breaching its legal requirements could face claims from the company itself. For example, the company may allege that the directors are in breach of duty for failing to (i) take reasonable steps to protect third parties' personal information, and (ii) implement controls to detect and prevent a data breach.
Whilst the damages awarded against a company under the DPA are expected to be modest, the high volume of potential claims will be a concern. We may see companies attempting to pass the aggregated liability onto their directors as a result of the directors' failures.
Of course, whilst the directors of a company are highly unlikely to choose to sue themselves, if a data breach is so severe, the combined compensation payments could be financially devastating, and if insolvency practitioners are appointed, they will be under a duty to consider suing the former board.
Alternatively, if the breach is widely reported in the media, the public may call to replace the board and demand that somebody is held accountable. In this scenario, a newly established board is much more likely to sue the former management.
It is also possible that the regulator may feel compelled to investigate, even where compensation is paid. The UK data regulator, the Information Commissioner's Office ("ICO"), is empowered to require companies to "undertake" to follow a prescribed course of action following a breach of the DPA. It is telling that undertakings are almost always signed by the CEO or MD of a company, indicating the level of seniority the ICO requires in order to address these issues.
Similarly, in the next 12 months, we expect the FCA and PRA to issue express guidance on the need to address data protection and cyber security issues.
As a result of the broad cover provided under a D&O policy, civil or regulatory claims filed against directors and officers for data protection, and privacy breaches will typically attract cover under Side A or Side B. In today's soft market, incorporating an express exclusion allowing insurers to avoid paying "cyber" related claims is simply not an option.
Whilst cyber policies provide cover to a company for first party losses and third party claims, they do not protect individuals. Excluding cyber claims under D&O policies could therefore leave a large gap in the market; directors would be uninsured when they need cover the most.
Instead, D&O insurers would be wise to ask questions at the placing stage to understand whether the directors and officers are actively looking at cyber risk to satisfy their management duties.