Technology and cyber
In this chapter of our Annual Insurance Review 2019, we look at the main developments in 2018 and expected issues in 2019 for technology and cyber.
Key developments in 2018
2018 was the year the General Data Protection Regulations (GDPR) came in to force.
The effects can be seen in the number of self-reported data breach notifications and complaints made to the Information Commissioner’s Office (ICO). As of July 2018, these were up 30% and 23% respectively (Annual Report 2017–18).
Our experience, through our breach response service ReSecure, is that a dominant recent and current cause of data protection incidents is mailbox breaches, often through phishing attacks. These take the form of an email with a link inviting the user to enter their login details. Once the hackers gain access, they have a number of avenues to exploit including attempting to perpetrate fraud through impersonation, downloading malware, or further spamming from the hijacked email account to contacts in it.
There a number of steps available to both provide protection as well as limit the damage. The easiest and most effective is multi-factor authentication (MFA). When implemented, before an individual can log in they must verify their identity by an alternative source, often a one-time password that is sent to a trusted device (such as a mobile) that is entered in addition to their usual password.
Almost invariably, when responding to data breaches of this kind we have seen the ICO recommend that MFA is implemented.
What to look out for in 2019
We anticipate a potential increase in group litigation, supported by the growing litigation funding market as well as damage-based agreements and collective conditional fee arrangements.
We have already seen a glimpse of this in the WM Morrison Supermarkets Plc (Morrisons) case. This involved a disgruntled employee posting online the personal and financial information of almost 100,000 employees. Notably, the court found that Morrisons was not in breach of its data security obligations to any material extent. Despite this, it held Morrisons vicariously liable for the actions of its employee, acknowledging that in doing so it was furthering the employee’s criminal aims.
A decision as to the quantum of damages will be the subject of a separate trial.
Anticipating the potential effects of its decision, the court directly addressed the “many instances reported in the media in recent years of data breaches on a massive scale caused by either corporate system failures or negligence by individuals … [which] might … lead to a large number of claims … for potentially ruinous amounts.” The court’s proposed solution is to “insure against such catastrophes”.
In light of this, and a costs regime where “incurred costs” are not shackled by costs management orders, we expect claimant law firms to try to take advantage by looking to bring claims on behalf of groups of data subjects affected by personal data breaches. The need to be organised and aware in preparation and response will be more important than ever.
Authored by Ian Dinning.
Download our full Annual Insurance Review 2019 for more insights.