Google Inc v Vidal-Hall: implications for D&O insurers
Published 23 June 2015
In March 2015, the Court of Appeal confirmed Ms Vidal-Hall's and two claimants' right to sue Google for compensation for distress caused by Google's allegedly secret tracking of their online browsing activity. In doing so, the Court rejected Google's appeal of the Court's first instance decision and declared that the "misuse of private information" is a tort for the purposes of suing companies outside of the UK.
Compensation for distress caused by data breaches is governed by section 13 of the Data Protection Act 1998 ("DPA"). Before this case, claimants had to prove some direct financial loss before they could claim compensation for distress. The Court of Appeal's decision endorses the first instance judge's view that claimants should not be restricted in this way, and should be able to claim compensation for moral damage caused by a breach of the DPA without needing to prove pecuniary loss.
Although the substantive claim has yet to be heard, regardless of the outcome, this decision has already established new law in the UK.
A rise in D&O claims?
This case demonstrates that companies are likely to face increased liability and claims for breaches of data protection and security laws, which most cyber risk insurance policies are designed to indemnify. However, the decision should also act as a caution to D&O insurers.
Under the DPA, duties are owed by the "Data Controller" to the living individuals to whom personal data relates. Directors are not typically "Data Controllers" in their own right (Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd & 6 others ) and therefore this case does not create a new "cause of action" for a data breach victim to pursue a director.
However, given that data security and compliance with regulatory obligations is increasingly becoming a board responsibility, directors who fail to prevent a company from breaching its legal requirements could face claims from the company itself. For example, the company may allege that the directors are in breach of duty for failing to (i) take reasonable steps to protect third parties' personal information, and (ii) implement controls to detect and prevent a data breach.
Whilst the damages awarded against a company under the DPA are expected to be modest, the high volume of potential claims will be a concern. We may see companies attempting to pass the aggregated liability onto their directors as a result of the directors' failures.
Of course, whilst the directors of a company are highly unlikely to choose to sue themselves, if a data breach is so severe, the combined compensation payments could be financially devastating, and if insolvency practitioners are appointed, they will be under a duty to consider suing the former board.
Alternatively, if the breach is widely reported in the media, the public may call to replace the board and demand that somebody is held accountable. In this scenario, a newly established board is much more likely to sue the former management.
It is also possible that the regulator may feel compelled to investigate, even where compensation is paid. The UK data regulator, the Information Commissioner's Office ("ICO"), is empowered to require companies to "undertake" to follow a prescribed course of action following a breach of the DPA. It is telling that undertakings are almost always signed by the CEO or MD of a company, indicating the level of seniority the ICO requires in order to address these issues.
Similarly, in the next 12 months, we expect the FCA and PRA to issue express guidance on the need to address data protection and cyber security issues.
Cover under a D&O Policy
As a result of the broad cover provided under a D&O policy, civil or regulatory claims filed against directors and officers for data protection, and privacy breaches will typically attract cover under Side A or Side B. In today's soft market, incorporating an express exclusion allowing insurers to avoid paying "cyber" related claims is simply not an option.
Whilst cyber policies provide cover to a company for first party losses and third party claims, they do not protect individuals. Excluding cyber claims under D&O policies could therefore leave a large gap in the market; directors would be uninsured when they need cover the most.
Instead, D&O insurers would be wise to ask questions at the placing stage to understand whether the directors and officers are actively looking at cyber risk to satisfy their management duties.