It has been 3 years since the GDPR took effect and fines for noncompliance are being issued, but most security leaders are more concerned about litigation than GDPR fines according to a recent study conducted by Egress.
The survey was conducted on 250 security leaders and data protection officers in the United Kingdom. The survey revealed widespread concern about the fallout from data breaches, which are happening more and more often.
A violation of the EU General Data Protection Regulation following a data breach could be as high as €20 million or 4% of global annual turnover for the previous fiscal year, but massive fines have generally not been issued. The cost of litigation following a data breach may not be as high as the maximum GDPR fine, but the cost of a class action lawsuit could still be devastating and there is a very real possibility of legal action following a data breach. The Egress survey found 90% of security leaders were concerned about class action lawsuits after a data breach, and 85% of security leaders were concerned about GDPR regulatory fines.
In response to the GDPR, 91% of security leaders have taken out a cyber insurance policy or increased their cyber insurance coverage to protect against financial penalties. There is good reason for this. Egress surveyed 2,000 UK consumers and found that 47% would join a class action data breach lawsuit against a company that leaked their personal data and 67% of UK consumers were aware that they have the legal right to take legal action against companies that have suffered a data breach that exposed their personal data.
“Organizations can challenge the ICO’s intention to fine to reduce the price tag, and over the last year, the ICO has shown leniency towards pandemic-hit businesses, such as British Airways, letting them off with greatly reduced fines that have been seen by many as merely a slap on the wrist,” said Egress CEO, Tony Pepper. “With data subjects highly aware of their rights and lawsuits potentially becoming ‘opt-out’ for those affected in future, security leaders are right to be nervous about the financial impacts of litigation.”
There is currently a lawsuit against Google that is with the UK Supreme Court which could certainly be a game changer. Huge numbers of people have been affected, and in contrast to many group legal settlements, the UK Supreme Court is considering whether group claims should be opt out rather than opt in. If that is the ruling, every individual affected by the breach would be due a payout, unless they specifically opted out. That could be hugely damaging for Google and for any other business that suffers a data breach in the future.
“The greatest financial risk post-breach no longer sits with the regulatory fines that could be issued. Lawsuits are now commonplace and could equal the writing of a blank cheque if your data is compromised,” said Lisa Forte, Partner at Red goat Cyber Security.