Three years after the General Data Protection Regulation came into force, UK security professionals are more concerned about class action lawsuits following a serious data breach than they are about regulatory fines.

This is among the findings of research carried out for security software firm, Egress, which also suggests that about half of consumers are prepared to join a class action lawsuit against an organisation that had leaked their data, hinting that security professionals’ fears are not misplaced.

In response, 91% of security leaders are turning to cyber insurance to protect themselves from financial exposure by either taking out new policies or increasing their cover because of GDPR.

Egress CEO Tony Pepper said: “The financial cost of data breach has always driven discussion around GDPR – and initially, it was thought hefty regulatory fines would do the most damage. But the widely unforeseen consequences of class action lawsuits and independent litigation are now dominating conversation. Organisations can challenge the ICO’s intention to fine to reduce the price tag, and over the last year, the ICO has shown leniency towards pandemic-hit businesses, such as British Airways, letting them off with greatly reduced fines that have been seen by many as merely a slap on the wrist. With data subjects highly aware of their rights and lawsuits potentially becoming ‘opt-out’ for those affected in future, security leaders are right to be nervous about the financial impacts of litigation.”

Lisa Forte, Partner at Red Goat Cyber Security, added: “The greatest financial risk post breach no longer sits with the regulatory fines that could be issued. Lawsuits are now commonplace and could equal the writing of a blank cheque if your data is compromised.

“European countries haven’t typically subscribed to a litigious way of regulating the behaviour of companies. That is now changing and without explicit Government intervention companies will need to accept they need deeper pockets to cover the lawsuit gold rush we are starting to see.

“The recent Google case that currently sits with the UK Supreme Court could make group claims opt out instead of opt in. That will inevitably mean that every single customer affected would be entered into the group action. That should be a huge worry for companies.

“Companies need to really prioritise preventative measures both technical and human and have a tested incident plan in place.”

The survey, independently conducted by OnePoll on behalf of Egress, interviewed 250 security leaders and DPOs in the UK and 2,000 UK consumers.

Share Story: