To predict developments in 2016, it makes sense to start with what has happened in 2015 and the likely impact of those events.
Similarly to 2014, 2015 has seen a number of high profile cyberattacks. The most high profile of which in the UK was that of TalkTalk in October. This resulted in 157,000 customers having their personal data compromised and 15,656 bank accounts and sort codes being accessed. This was far fewer than the 4 million originally feared, or the number of people who have been affected in other high profile cyberattacks. By way of example, the cyberattack on US supermarket chain Target in 2013 compromised 40 million credit and debit card accounts and 70 million individuals’ information. In 2015, the Ashley Madison hack led to 33 million customers having their information posted online.
However, unlike previous cyberattacks, the TalkTalk one was front page news in the UK for days. In its half-yearly report in November 2015, TalkTalk announced that the hack was likely to result in a one-off cost of £30-35 million. Fortunately, TalkTalk reportedly had cyber liability insurance in place.
Many insurers of course now offer cyber liability insurance. The TalkTalk cyberattack has served as a good reminder for why it is required.
There is little reason to believe that the pace of significant data breaches will slow in 2016. Even as awareness of cyberattacks increases, either the sophistication of the breaches, or the relative unsophistication of them coupled with surprisingly successful results, is likely to mean there will be more.
As companies (especially in the UK) look at TalkTalk and worry if they could be next, we expect that alongside the technical, legal and reputational steps they take to mitigate the risks and effects of a cyberattack, so too will they put in place cyber insurance. On this basis, we predict the cyber insurance market will become a great deal more crowded during 2016 and more comprehensive in its coverage. This could include coverage not just of data breach costs (both for a business and their customers), but also crisis communications, cyber exhortations (as was the case with Ashley Madison) and regulatory defence costs. Some insurers are already offering such coverage, but not all.
For further articles on cybersecurity in 2016 and predictions, see Tech and Media Predictions for 2016, What lies ahead in data protection and cybersecurity and Cybersecurity in 2016.
Last year we wrote (as part of our Cyber Risks review) that all the indicators were that the costs of data breaches would increase. In part this would be as a result of data breach notification requirements and increased regulatory fines.
Late in December 2015, agreement was reached between the European Council, Parliament and Commission on the General Data Protection Regulation (GDPR). The GDPR is intended to enhance and update EU data protection law. After a legal-linguistic review of it (which is likely to result in some further changes to it), the GDPR will be submitted for adoption by the Council and, subsequently, by the Parliament. There will be a two year implementation period, so it is likely to enter into force in spring 2018. The GDPR will introduce notification requirements and fines for data controllers. In the agreed text, data controllers can face maximum fines of up to €20 million or 4% of their global annual turnover. The level of fines has varied significantly between different draft texts of the GDPR.
To keep up-to-date with developments on the GDPR, visit our Global Data Hub.
Also late in December 2015, agreement was reached between the European Council, Parliament and Commission on the Network and Information Security Directive (NISD). Once the agreed text has undergone technical finalisation, it needs to be formally approved first by the Council and then by the Parliament. The procedure is expected to be concluded in spring 2016. Member States will then have 21 months to transpose it and six months to identify operators of essential services.
NISD requires Member States to adopt a national Network Information Security Strategy and designate a national competent authority to implement and enforce compliance in addition to creating a Computer Security Incident Response Team. NISD also creates a cooperation mechanism between Member States to facilitate the exchange of information and swift and effective handling of cybersecurity incidents.
Certain service providers will be subject to security and breach notification requirements. Businesses falling within the definition of “operators of essential services” will have to take appropriate security measures and notify serious incidents to the relevant national authority. Such businesses will include utilities, transport, banking, financial market infrastructure and digital infrastructure providers. Important digital businesses falling within the definition of “digital service providers” will be subject to a similar regime, although they are expected to face lighter-touch obligations. This will include the providers of online marketplaces, cloud computing services and search engines with an exemption for small providers.
Fines were originally proposed, but will now be determined by Member States, other than for breaches of personal data where they will have to be consistent with the GDPR.
In addition to these legislative developments which will result in higher costs from cyberattacks, so too there have been some significant case law developments in 2015, which likewise should alert insurers to increased potential claims under policies.
- recognised misuse of private information as a tort (for the purposes of service out of the jurisdiction); and
- held that damages for distress were recoverable in claims for misuse of confidential information, whether or not financial loss had been suffered.
We reported on this decision at the time.
In July 2015 the Supreme Court granted Google permission in part to appeal the Court of Appeal’s decision on the following points:
- that section 13(2) Data Protection Act 1998 (DPA) is incompatible with Article 23 Data Protection Directive 95/46/EC (in that it requires financial loss to be suffered for damages for distress to be available); and
- to disapply section 13(2) on the grounds that it conflicts with the rights in Article 7 (respect for private and family life) and 8 (protection of personal data) of the EU Charter of Fundamental Rights.
The Supreme Court will likely hear the case in 2016.
The Supreme Court decision concerning s13(2) has potentially significant implications for data controllers if claims can be brought for distress without pecuniary loss having to be shown. Guidance as to quantum remains very limited and fact sensitive, though it is unlikely claims would be worth more than a few thousand pounds. However, group litigation could make this far more significant in the case of a major data breach, with “death by a thousand cuts” a distinct possibility for some companies if Google is unsuccessful on appeal.
Commentators have also noted that many liability insurance policies (not just cyber security, but also D&O and PI) provide cover for data protection and privacy liabilities. Whereas previously the DPA has proved a hurdle to these claims; this decision means that there is now a potentially significant exposure.
The recent decision in Gulati & Ors v MGN Ltd2 is likely to make these concerns all the more acute. Victims of blagging and phone-hacking were awarded compensation ranging from between £85,000 and £260,250, whereas the previous highest award in a privacy case had been £60,000. In the context of Vidal-Hall (where breach of the DPA also amounts to the tort of misuse of private information), data protection and privacy rights are becoming deeply entwined.
This is a decision to watch in 2016. If the Supreme Courts dismisses Google’s appeal, data controllers will need to assess their liability to cause distress and in the meantime, they may face many claims for damages for distress where there is no pecuniary loss.
Internet of Things
Indicators are that the Internet of Things (IoT) could open up many opportunities for business. In a recent report, PwC predicts that over the next five years, connected living could be worth $1 trillion of which the connected home would be $149 billion. However, this also serves to increase markedly the number of entry points to a network, and therefore exposure to cyberattacks. Many IoT devices have been designed not with security in mind, and companies need to be aware of the risks that this poses.
ENISA (the European Union Agency for Network and Information Security, which is the centre of network and information security expertise for the EU) has just released a report on security and resilience of smart home environments. This recommends there should be a consensus on minimum security requirements, clarity on legal aspects pertaining to smart home environments and all those involved in the development of IoT devices should support this and work towards it. At present, there is no dedicated EU policy to target smart home environments. In addition, the need for security in smart home environments is underestimated, which means vendors lack incentives to enhance it. It is faster and cheaper to get a less secure product to market and since consumers are not currently concerned about the security of IoT devices, they are more likely to buy the cheaper and less secure device as opposed to the more expensive and secure one. No doubt a few high profile and significant cyberattacks on IoT devices and smart home environments will change this.
We predict that as more consumers become conversant with the IoT and creating their smart home, a consumer cyber liability insurance product is likely to develop.
The FCA has recently requested information on general insurers’ use of big data. Insurers have been using such information (often collected from social media websites) to calculate premiums. The Association of British Insurers has said that insurers treat personal data sensitively and securely and that big data makes insurance work better for customers by improving the claims experience and creating personalised and innovative products. Meanwhile, consumers are concerned that personal information from social media is being used in a way not made clear to them. The FCA’s study will no doubt prove important to insurers’ mode of operating with big data.