Security leaders more concerned about legal settlements than regulatory fines

An overwhelming 90% of security leaders are concerned about group legal settlements following a serious data breach, compared to 85% who are worried about regulatory fines, Egress reveals.

Launched to commemorate three years of GDPR, the research also found that 47% of consumers would likely join a class-action lawsuit against an organization that had leaked their data, proving security leaders’ fears to be accurate.

In response, 91% of security leaders are turning to cyber insurance to protect themselves from financial exposure by either taking out new policies or increasing their cover because of GDPR.

The survey, independently conducted by OnePoll on behalf of Egress, interviewed 250 security leaders and DPOs in the UK and 2,000 UK consumers.

Security leaders concerned about data breach legal settlements

• 90% of security leaders are concerned about class action by data subjects in the event of a serious data breach, whereas 85% are concerned about regulatory fines
• 47% of UK consumers say they’d join a class-action lawsuit against an organization that had leaked their data
• 91% of security leaders reported taking out cyber insurance, or upgrading their policy, as a result of GDPR
• 67% of UK consumers are aware that they have the right to take legal action against an organization that suffers a breach that exposes their personal data

Egress CEO Tony Pepper comments: “The financial cost of data breach has always driven discussion around GDPR – and initially, it was thought hefty regulatory fines would do the most damage. But the widely unforeseen consequences of class action lawsuits and independent litigation are now dominating conversation. Organizations can challenge the ICO’s intention to fine to reduce the price tag, and over the last year, the ICO has shown leniency towards pandemic-hit businesses, such as British Airways, letting them off with greatly reduced fines that have been seen by many as merely a slap on the wrist.

“With data subjects highly aware of their rights and lawsuits potentially becoming ‘opt-out’ for those affected in future, security leaders are right to be nervous about the financial impacts of litigation.”

Lisa Forte, Partner at Red Goat Cyber Security, comments: “The greatest financial risk post breach no longer sits with the regulatory fines that could be issued. Lawsuits are now common place and could equal the writing of a blank cheque if your data is compromised.

Companies will need deeper pockets to cover the lawsuits

European countries haven’t typically subscribed to a litigious way of regulating the behaviour of companies. That is now changing and without explicit Government intervention companies will need to accept they need deeper pockets to cover the lawsuit gold rush we are starting to see.

The recent Google case that currently sits with the UK Supreme Court could make group claims “opt out” instead of “opt in”. That will inevitably mean that every single customer affected would be entered into the group action. That should be a huge worry for companies.

Companies need to really prioritise preventative measures both technical and human and have a tested incident plan in place.

If in the United States, under CCPA, we have seen many actions, in Europe this is not (yet) widely used. However, I predict that this will grow as this right to take legal action becomes more popular – especially knowing that the ICO publishes a web page to provide guidance for data subjects taking such action. As a firm this is a risk you want to consider, maybe more than regulatory fines, in my view.

Cyber insurance won’t help recover reputational damage

Edina Csics, GDPR & Data Protection Consultant at GIS-Consulting, comments: “While cyber insurance might cover the financial damage caused by a data breach, it won’t help recover any reputational damage done. I hope that the 91% of respondents that have changed their cyber-insurance policies in response to GDPR have also considered doing the right thing by putting more serious measures in place than click-through employee security training and remediating their loosely implemented security technologies in addition to, and not instead of, taking out cyber-insurance. Data breaches do occur, and it’s a matter of when and not if, but in many cases these could be prevented.

But whatever their motivation, be it fearing collective lawsuits or regulatory fines, in taking steps to avoid financial damage, their actions may play in favor of consumers and the protection of their data.

Having said that, looking at the past activity of the ICO and its enforcement habits, I am inclined to understand why security leaders are more worried about the actions of those who are directly impacted – the data subjects whose personal data is subject to their not-quite watertight security measures – and those data protection activists that have an even higher drive to prove that there is more organizations can do to guard personal data.”