Cyber insurance and data breach claims

Today, Alasdair Cook, one of our Technical Claims Managers, is sharing his thoughts and insights into current data breach claims trends.

"One of our solicitor partners, BLM, have shared some commentary on a recent court judgement regarding data privacy. In summary, the defendant was a large retailer who was the victim of a cyber attack. The claimant was a customer of said retailer and brought a claim for damages on the basis that his personal information had been compromised.

The claim was brought under the allegations of:

  • breach of confidence
  • misuse of private information
  • breach of the Data Protection Act 1998 (DPA)
  • common law negligence.

The Judge concluded that all allegations except the DPA breach had no substance. This is because:

  • The breach of confidence and misuse of private information both require some positive action by the defendant i.e deliberate activity that facilitated the breach, as opposed to the simple failure to prevent a cyber-attack.  
  • Common law negligence requires ‘damage’ in the form of recognised psychological or physical injury (and in any case there is already a statutory regime to deal with this under the DPA).

The Judge transferred the DPA claim to be heard in the County Court.

A cyber policy, whilst providing assistance to policyholders in the event of a cyber attack, also provides cover for any third party claims arising from such an attack (which would not be covered by a normal liability policy). This judgement is especially relevant to scenarios where third party claims arise under a cyber policy.

It also provides some useful insight into the behaviour of some Claimant solicitors who will sometimes ‘throw in’ allegations of breach of confidence/misuse of private information in cases where they are not appropriate because they can recover After The Event (ATE) premium costs in these instances. Without such claims, ATE premiums are not recoverable. As BLM point out in their analysis, if claimant solicitors are less likely to take out ATE cover this may lead to fewer claims being pursued.

Finally, claimant solicitors will sometimes claim that data protection claims should always be heard in the High Court (with associated costs consequences) rather than the County Court. This judgement suggests otherwise.

In a separate (but equally important) recent development, Aviva and BLM have been successful in limiting legal fees in some data protection claims.

In some data breach claims, solicitors will settle their client’s damages for a small sum and then claim for their own legal costs at a far higher figure, sometimes 10 times the amount their client receives, or even more.

In normal circumstances, claims which settle for under £10,000 in damages and which don’t involve any injury fall under the Small Claims Track. If these cases go to court, only certain expenses can be recovered by the winning party, but no legal fees are payable. However, claimant solicitors will sometimes argue (for obvious reasons) that data breach claims do not fall into this category and that full (‘standard’) legal costs should be payable.

We have recently put forward successful arguments to a judge in 2 claims that claimant solicitors should not be entitled to costs for claims under £10,000. Certain claimant solicitor firms have seen small data breach claims as a valuable revenue stream in recent years, however if this trend continues it may be that there is little commercial benefit to pursuing such claims in the future."

For more information about Aviva’s Cyber insurance solution, take a look at our Cyber Playbook