An overwhelming 90% of security officials are concerned about group legal settlements following a serious data breach, compared to 85% who are concerned about regulatory fines, Egress reveals.
Launched to commemorate three years of GDPR, research also found that 47% of consumers would likely join a class action lawsuit against an organization that leaked their data, proving the accuracy of security officials’ fears.
In response, 91% of security leaders are turning to cyber insurance to protect themselves from financial risk by purchasing new policies or increasing their coverage due to GDPR.
The survey, conducted independently by OnePoll on behalf of Egress, interviewed 250 security officials and DPDs in the UK and 2,000 UK consumers.
Security executives concerned about legal regulations for data breaches
- 90% of security officials concerned about class action lawsuits for data breaches, while 85% are concerned about regulatory fines
- 47% of UK consumers say they would join a class action lawsuit against an organization that leaked their data
- 91% of security officials said they purchased cyber insurance or upgraded their policy as a result of GDPR
- 67% of UK consumers know they have the right to take legal action against an organization that suffers a breach that exposes their personal data
CEO exit Tony pepper comments: “The financial cost of a data breach has always sparked discussions around GDPR – and initially it was thought that heavy regulatory fines would do the most damage. But the largely unintended consequences of class actions and independent litigation now dominate the conversation. Organizations can challenge the ICO’s intention to impose a fine to reduce the price, and over the past year, the ICO has shown leniency towards companies affected by a pandemic, such as British Airways , freeing them with significantly reduced fines that were seen by many as simply a slap on the wrist.
“With those affected being very aware of their rights and lawsuits may become an ‘opt-out’ for those affected in the future, security officials are right to be concerned about the financial impact of litigation.”
Lisa Forte, Partner at Red Goat Cyber Security, comments, “The biggest financial risk after a breach is no longer in the regulatory fines that could be imposed. Lawsuits are now commonplace and could amount to writing a blank check if your data is compromised.
Businesses will need deeper pockets to cover lawsuits
European countries have generally not subscribed to a contentious way of regulating corporate behavior. This is changing and without explicit government intervention, companies will have to accept that they need deeper pockets to cover the gold rush that we are starting to see.
The recent Google case, which currently sits on the UK’s Supreme Court, could see group claims “opt-out” instead of “opt in”. This will inevitably mean that every affected client would be involved in the group action. This should be a major concern for businesses.
Companies really need to prioritize preventative measures both technical and human and have a tested incident plan in place. “
Eric Bedell, Chief Privacy Officer, Franklin Templeton, comments: “When implemented in 2018, GDPR set the tone for how the use of personal data should be regulated. When regulatory fines grabbed the headlines (and often used as a trigger for GDPR implementation), there’s a lesser-known aspect: the right to take legal action against an organization, not just for the wrongdoing. data breaches, but also for non-erasure. personal data, to rectify, to respond to data subjects’ access requests (DSAR) or to provide portable information.
If in the United States, under CCPA, we have seen many actions, in Europe it is not (yet) widely used. However, I predict this will increase as this right to sue becomes more popular – especially knowing that the ICO publishes a webpage to provide guidance to those affected who take such actions. As a business, this is a risk you want to consider, perhaps more than regulatory fines, in my opinion. “
Cyber insurance won’t help recover reputation damage
Edina Csics, GDPR and Data Protection Consultant at GIS-Consulting, comments: “While cyber insurance can cover financial damage caused by a data breach, it will not help recover damage to reputation. I hope that the 91% of those surveyed who changed their cyber insurance policy in response to GDPR also considered doing the right thing by putting in place more serious measures than employee security training per click and by also remedying their poorly implemented security technologies. instead of purchasing cyber insurance. Data breaches do happen, and it’s a matter of when and not if, but in many cases they could be prevented.
But whatever their motivation, whether for fear of class actions or regulatory fines, to take action to avoid financial damage, their actions can work in favor of consumers and the protection of their data.
Having said that, looking at the past activity of the ICO and its habits of implementation, I am inclined to understand why security officials are more concerned with the actions of those directly affected – the people concerned whose Personal data is subject to their non- fairly tight security measures – and data protection activists who have an even greater will to prove that organizations can do more to protect personal data. “