Allegations that Facebook users' data was harvested and used by third parties highlights the potential issues for D&O insurers when their insureds fail to protect data.
In our article Facebook, Cambridge Analytica and the ICO we consider some of the implications of the high profile investigation by the ICO into the harvesting of data from Facebook, which was then passed to Cambridge Analytica and allegedly used for political means.
D&O insurers in particular will be watching developments with interest. Data is a valuable commodity, and corporate entities, along with their management and their insurers, expose themselves to significant risk if they fail to secure data and/or have inadequate processes in place to respond to a breach. Compliance teams should have been working hard for some time, in order to ensure compliance with the GDPR by 25 May 2018 (see our GDPR microsite).
Potential issues for D&O insurers come to the fore when data breaches result in claims and complaints - events such as the recent Morrisons litigation and the political and media frenzy now surrounding Facebook highlight the potential issues for senior management of affected entities.
Cover under a D&O policy might be triggered by:
- Regulatory investigations: The ICO is investigating Facebook and Cambridge Analytica, and the FCA and other regulators around the world may well take an interest.
- Political inquiries: Mark Zuckerberg, CEO of Facebook, has been called before the Parliamentary Select Committee conducting an inquiry into Fake News.
- Litigation: Claims have already been brought in the US both by a Facebook user, alleging violation of privacy, and by multiple investors who are seeking damages for losses allegedly suffered after Facebook’s stock price plummeted following disclosure of the data misuse. Both actions have the potential to become large class actions, should the US court certify them as class actions, in which case the defence costs and, therefore, potential exposure for D&O insurers, could be significant.
Of further interest to insurers may be the potential “contamination” that this enquiry initiates. The whistleblower at the centre of the unfolding scandal has suggested that many other third parties (including app developers) were exploiting the same terms that Cambridge Analytica used to its advantage. We would expect developers and other businesses operating within the digital sphere to be warily considering the extent of their use of (Facebook) data and potentially notifying circumstances.
Generally, the scandal comes at an interesting time, so close to 25 May 2018. It will be interesting to see what claims and circumstances insurers will have to consider in the face of an increasing combative ICO, public and parliamentary outrage regarding the exploitation of data, and a scandal that highlights exactly how personal data can be turned into profit and political leverage.
We anticipate the landscape of privacy claims will be shaped by these events in the years to come. Insurers will increasingly have to understand the value of data and the risks it presents.