GDPR fines turn data protection infringements into expensive mistakes. Can a business get insurance for a GDPR fine, particularly if the fine follows a cyberattack?

Associate Arjun Dhar challenges the view that GDPR fines are categorically uninsurable in England and Wales. This insight contains key takeaways for insurance policyholders.

The problem

The UK General Data Protection Regulation (“GDPR”) applies to data controllers and processors in the UK and to data controllers and processors anywhere whose processing activities relate to offering goods and services to or monitoring the behaviour of data subjects in the UK. Importantly, it applies regardless of the data controllers’ and processors’ size or industry.

Consider the following fictional companies:

1. A fast-growing startup on a mission to improve customer experiences by integrating new AI technologies into data analytics,
2. A successful and growing sports centre with outlets across the country that keeps digital copies of the health declarations made by each of its members when they join, or
3. A long-established family bookstore that keeps records of its customers and their purchases on an Excel spreadsheet on their shop computer.

Each of these is susceptible to the risk of a cyberattack by which hackers isolate personal data held on the company’s servers and threaten to release or delete it if a ransom is not paid. As required by Art. 33 GDPR, these companies must notify the appropriate data protection authority (“DPA”), who may then open an investigation into the company’s data handling practices and security measures. If the DPA concludes that the company’s security methods were not robust enough to meet the threshold set by Art. 32(1) GDPR, fines may be imposed on the business.

Since it came into effect on 25 May 2018, the GDPR has given UK businesses an important but steep hill to climb. One difficulty is that the adequacy of the technical and organisational measures a company employs is judged in most cases (including our set of scenarios) only after a personal data breach has occurred, ie after the measures have failed to stop a hacker from accessing personal data. Unfortunately for the companies, while their good intentions may get the infringement classified as “negligent” rather than “intentional”, it does not necessarily absolve them of a penalty. Combine this with the reality of the fast-growing sophistication of cybercrime, and the risk becomes a shapeshifting, ever-present one, even for companies that have invested in cybersecurity measures and believe they have appropriate measures in place.

The commercial solution and the legal problem

The good news is that many cyber risk insurance policies contain provisions covering GDPR fines, using the language of “privacy regulatory awards” or similar. The bad news is that these provisions often contain the caveat “to the extent insurable by law” or similar, purporting to put the policyholder on notice that such a provision would be void of effect if precluded by the laws of the relevant jurisdiction. There has not yet been a case settling the question definitively in England and Wales, giving insurers space to decline claims by asserting that GDPR fines are either uninsurable or that their insurability is uncertain. This is despite them having included and priced in cover for such fines when the insurance policy was placed.

The law

In England and Wales, courts have historically declined to enforce indemnities that would facilitate the evasion of penalties. The legal mechanism for this is known as the illegality exception or the common law Latin maxim ex turpi causa non oritur actio (which translates as “no action can arise from an illegal act”). Rationales for this include that it would be “immoral” to do so, it is an abuse of the court process, “a person should not benefit from his or her wrong”, and that the law should “be coherent and not self-defeating, condoning illegality by giving with its right hand what it took away by its left hand”. A single overarching principle conveniently unites these rationales: a court will decline to enforce a contractual term where doing so would be contrary to public policy. This forms the basis for insurers’ arguments that GDPR fines are uninsurable.

This analysis is, however, incomplete. The law is not so binary as to provide insurers with cover for blanket declinature. As Lord Justice Bingham said in Saunders v Edwards, “… it is unacceptable that the court should, on the first indication of unlawfulness affecting any aspect of a transaction, draw up its skirts and refuse all assistance to the plaintiff, no matter how serious his loss nor how disproportionate his loss to the unlawfulness of his conduct”. Moreover, it is clear following Patel v Mirza that the maxim is based on public policy, requiring the court to “[weigh] up the equities of each case as it arises”.

Public policy

As Lord Sumption said in Les Laboratoires Servier v Apotex: “The paradigm case of an illegal act engaging the defence is a criminal offence.” However, in the same case, Lord Sumption suggested that the maxim would apply to “the infringement of statutory rules enacted for the protection of the public interest and attracting civil sanctions of a penal character”. In Patel v Mirza, Lord Toulson, in explaining the division of responsibility between the criminal and civil courts, said: “Punishment for wrongdoing is the responsibility of the criminal courts and, in some instances, statutory regulators.” These, and their interface with public policy, were not considered in further detail.

The lack of further engagement with public policy is important because regulatory penalties are not a monolith, and there is unlikely to be a single answer as to their insurability. A Financial Conduct Authority (“FCA”) fine interacts differently with public policy from a Competition and Markets Authority (“CMA”) fine or a DPA fine. The application of the maxim to some types of regulatory penalties does not imply its application to all. Moreover, the “turpitude” (using Lord Sumption’s language in Les Laboratoires Servier) of conduct leading to regulatory fines is not uniform. Commentators have criticised a rule-based approach for its failure to differentiate between serious criminality and a minor breach of a statutory regulation. Examples of meaningful differences include the seriousness of the conduct, whether it was intentional, and the disproportionality of disallowing the claim to the unlawfulness of the conduct (all factors considered potentially relevant by the court in Patel v Mirza).

In a GDPR context, one example is that restrictions on insurance would incentivise data controllers and processors to disregard their obligations at the reporting stage, using liberal interpretations of uncertain GDPR concepts such as “likelihood of high risk to the rights and freedoms of data subjects” or “undue delay” to minimise disclosure. The risk of a GDPR penalty also falls on vastly more small-and-medium enterprises (who are less likely to have access to legal advice, particularly on data protection) than do the risks of FCA or CMA penalties.

Meanwhile, in an environment of uncertainty, it is instructive to look at the approach taken by regulators. Whereas the FCA Handbook expressly forbids insurance that would indemnify against a financial penalty, the UK ICO expressly declined to take a position on the subject. There appears, therefore, to be no generally applicable principle that GDPR fines are uninsurable as a matter of public policy.

Conclusion

Unless and until the courts conclude definitively that GDPR fines as a category are uninsurable, it is for insurers to establish, in each declinature, policy-based reasoning why a relevant GDPR fine is uninsurable. Policyholders should, in turn, hold insurers to account by insisting on thorough analysis and challenging weak reasoning.

Takeaways for policyholders

1. The insurability of any GDPR fine depends on the facts of the case and how they interact with public policy. Factors such as the seriousness of the harm, the intentionality of the breach, public policies that conflict with the insurability of the fine, the likelihood of the perpetrator profiting from the wrongdoing, etc., should be considered.
2. Each case is judged on its own merits. Policyholders whose claims are denied are entitled to a thorough explanation of the reasons for the declinature.
3. A Data Protection Commissioner’s (DPCs) decision can be a useful starting point in applying the relevant factors. For example, a DPC’s finding that data was accessed but not expropriated by a hacker or that the breach was negligent and not intentional can go towards establishing a lower seriousness of harm and a lack of intentionality.

You can find further information regarding our expertise, experience and team on our Policyholder disputes page.

If you require assistance from our team, please contact us.

Subscribe – In order to receive our news straight to your inbox, subscribe here. Our newsletters are sent no more than once a month.