Nine in 10 (90%) security leaders are concerned about data breach litigation from class action lawsuits, according to new research by Egress.
Published on the third anniversary of the GDPR coming into force, the survey highlighted that security leaders and data protection officers (DPOs) are even more concerned about legal settlements for data subjects than they are about regulatory fines (85%) following a serious data breach.
As a result of these concerns, 91% of the 250 security leaders and DPOs in the UK polled revealed they have taken out new cyber-insurance policies or increased their cover to protect themselves from financial exposure because of GDPR.
These fears appear well founded, with high awareness among consumers of the increased rights afforded to them under GDPR also demonstrated by the study. It showed that nearly half (47%) of the 2000 UK consumers surveyed would join a class-action lawsuit against an organization that had leaked their data. Additionally, over two-thirds (67%) said they were aware they have the right to take legal action against an organization that experiences a breach that exposes their personal data.
Tony Pepper, CEO at Egress explained: “The financial cost of data breach has always driven discussion around GDPR – and initially, it was thought hefty regulatory fines would do the most damage. But the widely unforeseen consequences of class action lawsuits and independent litigation are now dominating conversation.
“Organizations can challenge the ICO’s intention to fine to reduce the price tag, and over the last year, the ICO has shown leniency towards pandemic-hit businesses, such as British Airways, letting them off with greatly reduced fines that have been seen by many as merely a slap on the wrist. With data subjects highly aware of their rights and lawsuits potentially becoming ‘opt-out’ for those affected in future, security leaders are right to be nervous about the financial impacts of litigation.”
Commenting, Lisa Forte, partner at Red Goat Cyber Security LLP, said: “The greatest financial risk post breach no longer sits with the regulatory fines that could be issued. Lawsuits are now common place and could equal the writing of a blank cheque if your data is compromised. European countries haven’t typically subscribed to a litigious way of regulating the behavior of companies. That is now changing and without explicit government intervention companies will need to accept they need deeper pockets to cover the lawsuit gold rush we are starting to see."
"The recent Google case that currently sits with the UK Supreme Court could make group claims 'opt out' instead of 'opt in'", Lisa Forte continued. "That will inevitably mean that every single customer affected would be entered into the group action. That should be a huge worry for companies. Companies need to really prioritize preventative measures both technical and human and have a tested incident plan in place.”