FOCUS: UK courts are likely to see an increasing number of disputes over the extent to which insurers are liable for the cost of cyber incidents and data breaches suffered by businesses where those companies make claims under general insurance policies.
A ruling in the US last month (8-page / 22KB PDF) shows that general insurance policies can provide businesses with protection against cyber risks when they materialise even if insurers had not anticipated providing such coverage under those policies.
At the moment few businesses in the UK have insured specifically against cyber risks by taking out dedicated cyber insurance policies. However, in contrast, there is an increasing likelihood that companies will fall victim to cyber attacksor data breaches.
Until the cyber insurance market matures in the UK we can therefore expect many organisations to seek to rely on the terms of general insurance policies to provide coverage against costs they face from cyber incidents. Insurers may not have anticipated providing cover against such risks under those general policies and so it is likely that disputes will arise as to the scope of cover they provide.
The US ruling
The US case concerned a dispute between a health care provider and an insurance company over whether the insurer could be forced to defend the health body against a class action lawsuit. The lawsuit has been raised by a number of people whose medical records, held by the health body, were published and accessible on the internet, it has been claimed.
In an unpublished opinion, which means the decision is not binding precedent in the US, the US Court of Appeals backed the legal analysis of the lower district court that had earlier heard the case. It said that, under Virginia state law, "insurers must use 'language clear enough to avoid … ambiguity' if there are particular types of coverage that it does not want to provide".
The Court of Appeals held that the alleged publication of private medical information, as claimed by those behind the class action, was conduct which the health body has insurance coverage against under the policy it had with the insurer.
If publication of those medical records is proven during the class action case then it "would have given 'unreasonable publicity to, and disclose[d] information about, patients’ private lives,' because any member of the public with an internet connection could have viewed the plaintiffs’ private medical records during the time the records were available online", the Court of Appeals said. The insurer "has a duty to defend" the health provider "against the class-action complaint", it ruled.
When will the UK's cyber insurance market mature?
Common existing insurance policies, such as professional indemnity cover, directors & officers insurance or property risk cover might provide some limited cyber cover. However, there are gaps and overlaps in the cyber coverage provided under those policies and, with cyber attacks becoming more frequent and sophisticated, it is clear that cyber risk needs to be protected under a standalone cyber insurance policy.
However, some businesses view dedicated cyber insurance products as too expensive or struggle to understand the differences between the various products on offer in the market. This has meant that companies in the UK are not yet demanding and buying specialist cyber cover in meaningful numbers.
New EU data protection laws, set to take effect in two years time, could help spur the cyber insurance market. The General Data Protection Regulation will require companies to notify data breaches to regulators and, potentially, those individuals likely to be affected. Currently, save for in certain sectors like telecommunications, data breaches do not need to be reported.
New mandatory data breach reporting requirements will raise public awareness of failings in data security and present increased reputational risks for businesses. In addition, administrative fines for data breaches will increase substantially under the new Regulation. While the UK's Information Commissioner's Office (ICO) can service fines of up to £500,000 for serious data breach incidents at the moment, it and other data protection authorities across the EU will have the power to serve fines on businesses of up to €10 million or 2% of their global annual turnover of the preceding financial year, whichever is highest, if they breach their data security obligations under the new Regulation and up to €20 million or 4% for other infringements.
These are new risks that businesses will want to insure against.
Other factors could accelerate change in the market too. These include the growing trend of group litigation and an ongoing case that will determine the basis on which consumers can claim damages for breaches of the Data Protection Act.
It had been generally accepted that individuals had to show financial loss flowing from a breach of data protection laws to open the way for a claim for damages for distress. . However, a decision by the Court of Appeal last year developed the law in this area. Individuals can currently claim distress damages without having to show any financial loss. That decision is the subject of an appeal before the Supreme Court.
In a world of significant financial and reputational risk for businesses there will be increasing appetite for dedicated cyber cover and an opportunity for insurers and brokers to grow the market. Until then, it is likely that courts will be asked to pour over general insurance policies to determine if they can be construed to provide cyber cover to businesses.
Ian Birdsey is an expert on cyber risk at Pinsent Masons, the law firm behind Out-Law.com.