respiro888 - stock.adobe.com

Threat of group GDPR legal action haunts CISOs

The vast majority of security leaders questioned for a new report say they are concerned about the possibility of group legal settlements against them following a serious data breach

The spectre of group legal settlements following a serious data breach haunts 90% of security leaders, while 85% are more concerned about the threat of regulatory fines, according to an Egress report commissioned to mark the third anniversary of the General Data Protection Regulation (GDPR).

The study, conducted by OnePoll, interviewed 250 security leaders and data protection officers (DPOs) and 2,000 consumers. It found that almost half – 47% – of consumers said they would consider joining a class action lawsuit against an organisation that leaked their personal data, and 67% were aware of their rights to take legal action under GDPR, suggesting that these worries may have some basis in reality.

“The financial cost of a data breach has always driven discussion around GDPR and, initially, it was thought hefty regulatory fines would do the most damage,” said Egress CEO Tony Pepper. “But the widely unforeseen consequences of class action lawsuits and independent litigation are now dominating conversation.

“Organisations can challenge the ICO’s [Information Commissioner’s Office’s] intention to fine to reduce the price tag, and over the last year, the ICO has shown leniency towards pandemic-hit businesses, such as British Airways, letting them off with greatly reduced fines that have been seen by many as merely a slap on the wrist. With data subjects highly aware of their rights and lawsuits potentially becoming ‘opt-out’ for those affected in future, security leaders are right to be nervous about the financial impacts of litigation.”

Lisa Forte, partner at Red Goat Cyber Security, added: “The greatest financial risk post-breach no longer sits with the regulatory fines that could be issued. Lawsuits are now commonplace and could equal the writing of a blank cheque if your data is compromised.

“European countries haven’t typically subscribed to a litigious way of regulating the behaviour of companies. That is now changing and without explicit government intervention, companies will need to accept they need deeper pockets to cover the lawsuit gold rush we are starting to see.”

Forte further noted the Lloyd vs Google case – currently at the UK Supreme Court – that, if successful, would make such group litigations ‘opt-out’ as opposed to ‘opt-in’. She said this should be a “huge worry” for CISOs and DPOs. A decision on this case is expected later in 2021.

In the meantime, Egress found that 91% of security leaders said they were turning to specialist insurance providers to cover them against cyber incidents and data breaches, or had already upgraded existing policies since GDPR came in. However, Edina Csics, a specialist GDPR and data protection consultant at Belgium-based GIS-Consulting, said that this was not enough in and of itself.

“While cyber insurance might cover the financial damage caused by a data breach, it won’t help recover any reputational damage done,” she said. “I hope that the 91% of respondents that have changed their cyber-insurance policies in response to GDPR have also considered doing the right thing by putting more serious measures in place than click-through employee security training and remediating their loosely implemented security technologies in addition to, and not instead of, taking out cyber insurance.”

Nevertheless, and regardless of motivation, said Csics, there was much to be thankful for in security leaders taking steps to avoid damage to their companies, because their actions were likely to play in favour of consumers and overall data protection.

She added: “Having said that, looking at the past activity of the ICO and its enforcement habits, I am inclined to understand why security leaders are more worried about the actions of those who are directly impacted – the data subjects whose personal data is subject to their not-quite watertight security measures – and those data protection activists that have an even higher drive to prove that there is more that organisations can do to guard personal data.”

Read more about GDPR at three

Read more on Privacy and data protection