Insurability of GDPR fines

Our Commercial Team recently reported on two significant proposed fines by the Information Commissioner's Office (ICO) in Notices of Intent served on British Airways and Marriott International.

In each case the proposed fines by the ICO relate to data breaches which occurred following a cyber-attack.  The proposed fines are significant; £183.39 million in the case of British Airways and £99.2 million in the case of Marriott. These examples raise the question yet again of the insurability of such fines under English law.

Background

The vast majority of cyber policies will provide cover for fines and penalties "to the extent insurable by law". Yet the question of whether fines imposed by the ICO are insurable under English law is by no means clear.

The position with regard to the insurability of some other regulatory fines in the UK is clearer. The FCA handbook, for example, provides at GEN 6.1.5 that:

"No firm may enter into, arrange, claim on or make a payment under a contract of insurance that is intended to have, or has or would have, the effect of indemnifying any person against all or part of a financial penalty."

Similarly, in the case of fines imposed by the Competition and Markets Authority or the Serious Fraud Office, the position seems relatively settled (save in the case of strict liability) that the conduct in question is sufficiently "morally reprehensible" to trigger the "ex turpi causa" illegality defence – the doctrine which provides that a claim is unenforceable where it is based upon the claimant's illegal (or quasi-illegal) act.

GDPR fines

With regard to fines imposed by the ICO pursuant to the GDPR, some legal commentary has suggested that they are uninsurable as a matter of public policy, but we consider the position to be more nuanced and open to debate.

Plainly, where a fine is imposed as a result of criminal conduct it will not be insurable. Similarly, where the fine is imposed following sufficiently "morally reprehensible" or "quasi-criminal" conduct, there is no reason to believe that the courts would treat this any differently to fines imposed in competition or fraud cases. Thus, where a company is found to have intentionally or recklessly (and perhaps even negligently) breached the terms of the data protection legislation, it is likely that any subsequent fine will be uninsurable.

On the other hand, where a company finds itself in breach of the GDPR following a cyber-attack, it is possible to envisage an argument being advanced that the company's conduct was not sufficiently reprehensible to prevent any consequent fine from being insurable.

Commentary

The ICO said of the British Airways proposed fine that customer information was "compromised by poor security arrangements at the company". In Marriott's case, the ICO said the company had "failed to undertake sufficient due diligence" when it purchased Starwood (the company which had suffered the cyber-attack). Given these comments, and the significant size of the proposed fines, our view is that these fines would most likely be uninsurable under English law.

The insurers and reinsurers on risk under these insurance covers are no doubt awaiting the ICO's Monetary Penalty Notices which will enable them to scrutinise the ICO's final fine amounts and, critically, their justifications for the fines.   It is of note that, despite the Marriott data breach being on a significantly larger scale, the company faces almost half the fine amount of British Airways.    It will be interesting to assess whether the market draws any distinction between the two companies' conduct and whether Marriot's conduct is deemed to have been less reprehensible, thereby opening up the possibility of coverage being available for that fine. 

As a more general observation, the position could arguably be different (and possibly more clear cut) in the case of a highly sophisticated cyber-attack where the insured's conduct was not open (or not so open) to criticism, for example where the insured's IT systems are up-to-date but cyber criminals develop a novel means of stealing data. Presumably any fine levied in such circumstances would be significantly lower, but given that the maximum fine for a purely administrative breach of the GDPR is €10,000,000 or 2% of the company's total worldwide annual turnover, it could still be significant.

In the meantime, the Organisation for Economic Cooperation and Development (OECD)'s insurance and private pensions committee is considering the question of insurability of fines for privacy breaches and will hopefully be able to offer guidance to policyholders soon.

If you would like to discuss the issues raised in this article further, please contact garbhan.shanks@michelmores.co.uk or harriet.chopra@michelmores.co.uk.  

The insurers and reinsurers on risk under these insurance covers are no doubt awaiting the ICO's Monetary Penalty Notices which will enable them to scrutinise the ICO's final fine amounts and, critically, their justifications for the fines.   It is of note that, despite the Marriott data breach being on a significantly larger scale, the company faces almost half the fine amount of British Airways (albeit that the fine represents a greater percentage of the company's global turnover).