Litigation, not fines, key concern for security professionals as GDPR turns three

Three years after the General Data Protection Regulation came into force, UK security professionals are more concerned about class action lawsuits following a serious data breach than they are about regulatory fines.

This is among the findings of research carried out for security software firm, Egress, which also suggests that about half of consumers are prepared to join a class action lawsuit against an organisation that had leaked their data, hinting that security professionals’ fears are not misplaced.

In response, 91% of security leaders are turning to cyber insurance to protect themselves from financial exposure by either taking out new policies or increasing their cover because of GDPR.

Egress CEO Tony Pepper said: “The financial cost of data breach has always driven discussion around GDPR – and initially, it was thought hefty regulatory fines would do the most damage. But the widely unforeseen consequences of class action lawsuits and independent litigation are now dominating conversation. Organisations can challenge the ICO’s intention to fine to reduce the price tag, and over the last year, the ICO has shown leniency towards pandemic-hit businesses, such as British Airways, letting them off with greatly reduced fines that have been seen by many as merely a slap on the wrist. With data subjects highly aware of their rights and lawsuits potentially becoming ‘opt-out’ for those affected in future, security leaders are right to be nervous about the financial impacts of litigation.”

Lisa Forte, Partner at Red Goat Cyber Security, added: “The greatest financial risk post breach no longer sits with the regulatory fines that could be issued. Lawsuits are now commonplace and could equal the writing of a blank cheque if your data is compromised.

“European countries haven’t typically subscribed to a litigious way of regulating the behaviour of companies. That is now changing and without explicit Government intervention companies will need to accept they need deeper pockets to cover the lawsuit gold rush we are starting to see.

“The recent Google case that currently sits with the UK Supreme Court could make group claims opt out instead of opt in. That will inevitably mean that every single customer affected would be entered into the group action. That should be a huge worry for companies.

“Companies need to really prioritise preventative measures both technical and human and have a tested incident plan in place.”

The survey, independently conducted by OnePoll on behalf of Egress, interviewed 250 security leaders and DPOs in the UK and 2,000 UK consumers.

    Share Story:

Recent Stories


Cyber physical risks
Property damage as a consequence of cyber attack is often excluded from standard property policies, but as the industrial internet of things expands, so too do the risks. This podcast examines the evolving threat landscape. Published October 2021

Financial institutions were early adopters of cyber security and insurance. Are they still on top of the game?
Managing huge amounts of sensitive data online makes financial institutions a prime target for hackers. As such, the sector was an early cohort for insurers in creating cyber cover. Since then, the market has evolved almost beyond recognition. It continues to challenge itself to this day, complying with rigorous regulatory demands and implementing avant-garde enhancements to keep abreast of the ever-changing risks. Published June 2021

Advertisement