The specter of group legal settlements following a severe data breach haunts 90% of security leaders. In comparison, 85% are more concerned about the threat of regulatory fines, according to an Egress report commissioned to mark the third anniversary of the General Data Protection Regulation (GDPR).
The study, conducted by OnePoll, interviewed 250 security leaders and data protection officers (DPOs), and 2,000 consumers. It found that almost half – 47% – of consumers said they would consider joining a class-action lawsuit against an organization that leaked their personal data, and 67% were aware of their rights to take legal action under GDPR, suggesting that these worries may have some basis in reality.
“The financial cost of a data breach has always driven discussion around GDPR and, initially, it was thought hefty regulatory fines would do the most damage,” said Egress CEO Tony Pepper. “But the widely unforeseen consequences of class action lawsuits and independent litigation are now dominating the conversation.
“Organisations can challenge the ICO’s [Information Commissioner’s Office’s] intention to fine to reduce the price tag, and over the last year, the ICO has shown leniency towards pandemic-hit businesses, such as British Airways, letting them off with greatly reduced fines that have been seen by many as merely a slap on the wrist. With data subjects highly aware of their rights and lawsuits potentially becoming ‘opt-out’ for those affected in future, security leaders are right to be nervous about the financial impacts of litigation.”
Lisa Forte, the partner at Red Goat Cyber Security, added: “The most significant financial risk post-breach no longer sits with the regulatory fines that could be issued. Lawsuits are now commonplace and could equal the writing of a blank cheque if your data is compromised.
“European countries haven’t typically subscribed to a litigious way of regulating the behavior of companies. That is now changing, and without direct government intervention, companies will need to accept they need deeper pockets to cover the lawsuit gold rush we are starting to see.”
Forte further noted the Lloyd vs. Google case – currently at the UK Supreme Court – that, if successful, would make such group litigations ‘opt-out’ instead of ‘opt-in’. She said this should be a “huge worry” for CISOs and DPOs. A decision on this case is expected later in 2021.
In the meantime, Egress found that 91% of security leaders said they were turning to specialist insurance providers to cover them against cyber incidents and data breaches or had already upgraded existing policies since GDPR came in. However, Edina Asics, a specialist GDPR and data protection consultant at Belgium-based GIS-Consulting, said that this was not enough in and of itself.
“While cyber insurance might cover the financial damage caused by a data breach, it won’t help recover any reputational damage done,” she said. “I hope that the 91% of respondents that have changed their cyber-insurance policies in response to GDPR have also considered doing the right thing by putting more serious measures in place than click-through employee security training and remediating their loosely implemented security technologies in addition to, and not instead of, taking out cyber insurance.”
Nevertheless, and regardless of motivation, said Asics, there was much to be thankful for in security leaders taking steps to avoid damage to their companies because their actions were likely to favor consumers and overall data protection.
She added: “Having said that, looking at the past activity of the ICO and its enforcement habits, I am inclined to understand why security leaders are more worried about the actions of those who are directly impacted – the data subjects whose personal data is subject to their not-quite watertight security measures – and those data protection activists that have an even higher drive to prove that there is more that organizations can do to guard personal data.”