Cyber Insurance, Privacy and Data Security Newsletter Introduction - January 2016
Published 6 January 2016
As we close in on the final stages of dry-anuary, we are taking the opportunity of sobriety to make our 2016 predictions for the world of cyber insurance, data breaches and privacy liability.
We predict that the number of publicised data breaches in the private sector will increase this year. We have noticed a heightened awareness amongst our clients of not only the ICO's guidance to notify serious breaches, but also a sense of corporate responsibility to do the right thing. This could be attributable to a particularly high profile breach in 2015, and the agreement on the wording of the General Data Protection Regulation that reached near final form in December. Notification of data breaches will be mandatory across Europe in two years' time, matched with fines of up to 4% of annual turnover for non-compliance. Prudent organisations are seeking to play by the rules now.
Privacy liabilities and claims for compensation are also set to increase on the back of the Court of Appeal’s decision in Vidal Hall v Google. The mood music seems to suggest that the decision will be held by the Supreme Court in October this year. Notwithstanding Vidal Hall, other cases relating to the wider tort of the misuse of private information continue to bring significant damages awards. On 17 December 2015, the Court of Appeal in Representative Claimants v MGN  EWHC 1482 (Ch) upheld damage awards of between £72,500 and £260,250 per victim. Of course, this is a matter not only for cyber insurers, but insurers of all liability classes.
2016 may be a significant year for cyber business interruption incidents. Last month saw outages on the Steam, Minecraft and Playstation gaming networks after a Christmas Day cyber-attack, preventing gamers from enjoying their new toys. On 23 December, a highly organised (and allegedly state sponsored) attack on the Ukrainian Power Grid cut power to more than 80,000 people. The attackers infected the computer systems with malware, paralysing the company, and disconnected breakers, meaning that workers had to travel to substations and manually change the settings to restore power. They sabotaged control systems, giving the impression that power remained flowing, and used a denial-of-service attack on a call centre to prevent real customers from reporting the outage. Finally, the disruption that can be caused by negligence, otherwise known as “fat-finger” errors, was highlighted by the Oyster card system failure. This was caused by an upgrade to London tube fares after the Christmas break and led to thousands of people travelling for free, with TFL sustaining financial losses.
Topics for debate in 2016 will include the evolution and increasing occurrence of monetary thefts by cyber-criminals and whether this is a problem for the cyber insurance market to solve. A Texas manufacturing company is suing its commercial crime insurers for refusing to cover a loss caused by a phishing scam in which the chief executive was duped into sending $480,000 to an imposter's account. Some misguided commentators have highlighted this as a failure of “cyber insurance”, rather than the reality that the insurance claim was submitted under a commercial crime policy. Wider awareness of what is, and what is not, covered by cyber insurance may be needed.
The debate over property damage caused by cyber events and into which sector of insurance it should fall will also continue. Given the increasing propensity for cyber war and cyber terrorism (as reported in last month's newsletter), we foresee further industry advocates coming out in favour of a Government backed cyber terrorism pool.
We look forward to reviewing these predictions at the end of 2016. Of course, if we are right, we will be highlighting our success during 2017's dry-anuary. If we are wrong, expect them to be buried somewhere in our end of year review on 29 December!