Why a UK data breach will look different to a US one
Businesses that hold personal information about EU customers will be required to notify regulators and potentially customers if their data has been compromised when the General Data Protection Regulation (GDPR) comes into force in May next year.
Mandatory notification regulations have been in place in the US for over a decade where the market for cyber insurance is mature. With rates for cyber insurance policies in Europe typically lower than in the US at present, many clients have asked whether that will change when these new rules come into place. We look at some of the key differences between the cyber markets in the US and the UK below.
1. Likelihood of suffering a data breach
There were approximately 1,350 publicly-declared data breach incidents in the USA in 2016 and just 108 in the UK. At first glance it would seem that UK businesses are at a much lower risk of suffering a breach. However, stringent data breach disclosure laws have been in place in the US for many years so a much higher proportion of data breaches are required to be made public.
A UK government report in April 2017 found that a staggering 46% of the UK’s 5.5. million businesses (around 2.5 million firms) had suffered a digital attack in the last 12 months, with medium and large companies more likely to have been targets. The report also found that just 26% of the most disruptive breaches were externally reported by UK businesses to any body outside of an outsourced cyber security provider, highlighting the significant scale of under-reporting in the UK at present. The number of reported breaches in the UK will likely increase dramatically once the new GDPR rules are in place and could even proportionally outweigh the number of US breaches.
2. Regulatory fines and penalties
The maximum fine that can be levied in the UK by the Information Commissioner’s Office (ICO) for a data breach is £500,000, with the largest fine issued standing at £400,000 for the October 2015 TalkTalk data breach incident.
In 2015, the United States Federal Communications Commission imposed a $25 million penalty on AT&T for a series of data breaches between 2013-2014. Although the difference between the fines looks stark, they actually equate to a similar percentage of the respective companies’ annual revenues (~0.02%).
Article 83 of the GDPR allows for much higher penalties to be levied, however, with companies being at risk of being fined the greater of €20 million or 4% of their total worldwide annual turnover. Therefore, TalkTalk could have faced a fine in excess of £70 million had GDPR been in force at the time.
While there is a lack of clarity surrounding the insurability of fines and penalties imposed under GDPR, one thing that is certain is that the likelihood and level of fines will take into consideration the behaviour of the affected firm post-breach. UK companies are less experienced in dealing with breach response than their US counterparts; a fact that could lead to poorly-handled breaches and subsequently higher fines.
3. Compensation for customer distress
Customers in the US have the legal right to claim compensation from a company that has suffered a breach where they can prove that they have incurred a financial loss as a direct result of a data breach. However, most US federal courts have ruled that where material loss has not been suffered, the mere possibility of future harm is not enough to constitute injury. US courts have typically rejected compensation claims for lost time and inconvenience and damages for emotional distress are usually recoverable only where there is a medically diagnosable injury. To this effect the US Supreme Court ruled in 2012 that mental and emotional distress are not “Actual Damages” under the Privacy Act.
For UK businesses, there are two crucial factors which increase the likelihood of non-material damages being payable following a data breach. The first is the ruling by the Court of Appeal in the case of Google v. Vidal-Hall that individuals can claim for distress without having to prove that they have suffered a monetary loss. The second is the express provision under Article 82 of the GDPR which states: “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation”. Consequently, individuals may find it much easier claiming for non-material damages in UK and European courts than has been the case in the US.
4. Reputational damage
As mandatory notification regulations have been in place in the US since 2003, many have cited the theory of ‘breach fatigue’ whereby individuals who have their data exposed are less likely to take subsequent action, such as moving business to a competitor. In the UK, where mandatory notification is a much newer concept, consumers have yet to experience the volume of incident reporting that currently exists in the US. In a recent study, 54% of respondents in the UK stated that they would end their business relationship with a company if their sensitive financial information was stolen or lost. The result for US respondents was much lower at 40%. Although the number of publicly-declared data breaches is currently lower in the UK, the TalkTalk case provides a clear example of the reputational damage that can be caused by such incidents. The company admitted losing 95,000 customers as a direct result of the October 2015 cyber attack, equating to a trading loss of £15 million. This was on top of ‘exceptional costs’ of £40–45 million attributable to the attack.
The introduction of GDPR in May will inevitably cause UK businesses’ cyber exposures to increase, potentially significantly. Partnering with an insurer that can offer a 24/7 breach response hotline providing clear advice on the immediate steps that need to be taken, promptly engage first class IT forensic expertise and ensure compliance with all relevant data breach notification laws and regulations could be crucial in reducing or even preventing fines payable under GDPR.
For more information about TMK’s cyber products and services, email firstname.lastname@example.org