Simon Cheng Managing Associate
Are fines and penalties relating to breach of data privacy regulations insurable? – Review from the UK and Hong Kong perspectives
Breach of data privacy protection regulation, with the new European Union’s General Data Protection Regulation (“GDPR”) coming into effect, can result in draconian fines and penalties.
In January 2019, Google was fined 50 million Euros for improper disclosure to users as to how data is collected across its services, including its search engine, Google Maps and YouTube, to present personalized advertisements. This penalty is by far the largest penalty to date since the implementation of the new GDPR. British Airways faces a possible fine of £500 million over the data breach of leaking the customer details, including bank card numbers, expiry dates and cvv codes in a cyber-attack.
Despite conventional thinking of prohibiting insurances against the fines and penalties based on public policy argument, there is certainly demand for expansion of related data breach insurances. By comparing UK and other EU jurisdictions as well as Hong Kong, the trend for data breach related insurances are on the rise.
1. Breach of data privacy regulation – the new GDPR and ICO penalties and fines
Recent events of serious fines and penalties for breach of data protection regulation have sparked discussions over the globe. In January 2019, Google was fined 50 million Euros by the French regulator, CNIL, for improper disclosure to users as to how data is collected across its services, including its search engine, Google Maps and YouTube, to present personalised advertisements. This penalty is so far the largest penalty to date since the implementation of the new European Union’s General Data Protection Regulation (“GDPR”). British Airways faces a possible fine of £500 million over the data breach of leaking the customer details, including bank card numbers, expiry dates and cvv codes in a cyber-attack.
Under the new GDPR which took effect on 25 May 2018, fines for organisations which breach GDPR can reach up to 20 million Euros, or up to 4% of a company group’s annual global turnover, whichever is higher; and EURO 10 million or 2% for lesser infringements.
In the UK, the regulators have always adopted a relatively robust approach in terms of imposing penalties and fines to deter data privacy breach, even before the GDPR took effect. Examples include:-
> The Information Commissioner’s Office (ICO) has the power to impose monetary penalties of up to £500,000 to organisations which have breached the Data Protection Act 1998, or the Privacy and Electronic Communications Regulations (PECR).Facebook was fined the maximum £500,000 by the ICO for serious data breach affecting 87 million users;
> Heathrow Airport Limited (HAL) has been fined £120,000 by the ICO for failing to ensure that the personal data held on its network was properly secured; and
> the Financial Control Authority (the “FCA”) has previously fined Tesco Personal Finance plc (Tesco Bank) £16,400,000 for failing to exercise due skill, care and diligence in protecting its personal current account holders against a cyber-attack.
The UK Data Protection Act 2018 was enacted for purpose of implementing GDPR in the UK, replacing the Data Protection Act 1998 and allowing the ICO to levy fines of up to £17m, or 4 per cent of global turnover, on organisations that breach the rules.
In view of such serious penalties for infringement of GDPR or other data protection regulation, whether fines and penalties for data protection breach are insurable is an interesting area which concern global enterprises and corporations.
2. Wide scope of enforcement of GDPR
The issue of serious penalties for infringement of GDPR or other data protection regulation concerns more than just EU established businesses. Article 27 of the EU GDPR provides that companies outside the EU have to establish representatives in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored. The European Data Protection Board, in their Guidelines 3/2018 on territorial scope of the GDPR issued in November 2018 (for public consultation), has made it quite clear that representative appointed under Article 27 is subject to the same enforcement action, with the possibility of being held liable for any fines and penalties imposed under the GDPR. The scope of possible enforcement of GDPR, therefore, can be far-fetching. This amplifies the risks of possible fines and penalties of non-EU organisations, as well as their representatives, in data breach and thus the need for insurance hedging relevant risks.
3. Uncertainty surrounding insurability of fines and penalties – the public policy argument
Whether regulatory fines are insurable is still a grey area. In the UK, it is clear that any insurance for regulatory fines for financial regulated business is prohibited by the FCA. The argument for the ban is one based on a public policy argument - the legal doctrine of ex turpi causa (the principle of illegality defence). In short, under English law, the claimant is not entitled to pursue a claim based on his/her own illegal acts.
Public policy reason in impeding insurances of criminal fines is apprehensible – the deterring effect should not be negated by allowing insurance claims of a fine which is of punishing effect. In the case of Gray v Thames Trains  1 A.C. 1339, Lord Hoffman held that the principle of ex turpi causa precluded a person from recovering compensation either for losses suffered in consequence of his own criminal act or for damage that was the consequence of a sentence imposed on him for a criminal act.
This prompts the question of whether public policy reason and illegality defence apply to breach of data protection regulations – which appears to be more regulatory fines than criminal punishment. It was held in Safeway Stores Ltd v Twigger  EWCA Civ 1472 that, in relation to a breach of the Competition Act 1998, the undertaking company was not entitled to recover the amount of such penalties from its directors or employees who were themselves responsible for the infringement, otherwise it would be contrary to the principle of illegality defence.
Nevertheless, the Safeway case did not draw a complete line on whether regulatory penalties and fines are insurable. In a more recent case of Sainsbury’s Supermarkets Ltd v MasterCard Incorporated and others  CAT 11, the preliminary issue of “ex turpi causa” was rejected as a ground to dispose the whole action. There is no absolute bar to recovery of damages for a breach of the competition rule. Therefore, in the case of data privacy breach, which is more a regulatory breach, whether the public policy reason and the principle of ex turpi causa would apply remains unclear.
Indeed, in the 2018 appeal case of Morrison Supermarket’s data breach, the Court of Appeal has suggested that buying insurance is a valid answer to potential ruinous amounts of data breaches. The possible large scale of fines and penalties in case of data breaches shows the need for insurances against the relevant risks.
4. Limited availability of insurance cover for fines and penalties
Notwithstanding that there is certainly a need for insurance cover against data privacy and cyber related fines and penalties, particularly in light of the GDPR, the availability of such insurance coverage is currently limited, even within the EU. So far as we are aware, there are only very few jurisdictions in Europe that allow insurability of GDPR fines, for example, Norwayand Finland. In Finland, GDPR fines are insurable except for deliberate or gross negligent conducts. Interestingly in Norway, the Department of Justice of Norway took the view that under proposed Norwegian legislation, breaches under GDPR will not be subject to criminal sanctions, which means it does not see GDPR breaches as “criminal”. Following this line of thinking, the above mentioned principle of “illegality defence” does not apply to data protection breaches, and thus insurable.
A number of factors may explain why general availability of such insurance coverage on the market is currently limited. We have already discussed the issue concerning public policy and illegality argument above which makes insurability of fines and penalties either impossible, or at least unclear, under the law of different jurisdictions. Another issue is the difficulty in accurately calculating and pricing the risks in insurance policy due to the novelty of various possible cyber-attack and data breaches.
As such, of those limited cyber-insurance policy which may be available, it is common to find that coverage tends to be limited to “first-party” costs only, such as costs for company’s data breach investigations. “First-party” costs refer to costs incurred by the company itself, but not court- or regulator-imposed fines. It is also quite common to find extensive exclusions in the terms and conditions in the insurance policy excluding “fines and penalties”. Where coverage on fines and penalties are provided this is usually qualified by wording in the policy which limits availability of such coverage only to the extent where “they are insurable in the jurisdiction”.
5. Growing demand and need for cyber related insurance coverage
It was estimated that US$2.5 billion premium for cyber-related insurance policy was written in 2014. However, demand and need for cyber insurance is growing rapidly, and it has been reported that the global cyber insurance market could reach as much as US$29.2 billion by 2025. Accordingly, there is a growing trend for the insurance market in relation to cyber and data privacy related insurance, and strong market growth and increase are expected over the years ahead.
In the UK, the Lloyd’s Market Association (LMA) and Prudential Regulatory Authority report on cyber risks and exposures shows that “affirmative cover” for cyber incidents are increasing, but only estimated to be 2-3% of contracts underwritten by Lloyd in 2017. In view of the increasing needs for cyber and data privacy related insurance, there is large room for expansion of relevant insurances coverage in the market.
As for GDPR, while it remains to be seen how the law and the insurance market in the UK and EU will evolve and develop to tackle the issues concerning insurability of fines and penalties as discussed above, there are also other potential risks and liabilities arising from violation of the GDPR – such as the ancillary costs of legal fees and litigation, remediation and costs of compensating and notifying the impacted data subjects, potential “third-party liability” and monetary damages arising from private/individual right of action on data subjects if there is violation of the Regulation, where a wider range of specific insurance products are needed to cover such risks and liabilities. Demand for such coverage certainly exist on the market. Indeed it has recently been reported that specific GDPR insurance cover for small and medium sized enterprises, which is said to be first of its kind, has been introduced onto the market. This is mainly aimed, as we see, at the US market, but it nonetheless represents a positive development.
Position in Hong Kong and the way forward
The position in Hong Kong in relation to data privacy breach is similar to that in the UK. Public policy argument of illegality prohibits insurances against fines and penalties prevails, but whether regulatory fines relating to data privacy breach liability is insurable is still unclear.
While related insurance position remains unclear, the public has raised concerns over increasing reports of data privacy breach incidents:
> Cathay Pacific Airways faced criticism for a massive data breach that data had been accessed without authorisation involving 9.4 million passengers, but only revealed the data breach after 7-month.
> Hong Kong Broadband Network compromised the personal information of some 380,000 customer including names, identity card numbers, credit card details, telephone numbers, email addresses and correspondence addresses;
> Credit reporting agency TransUnion failed to maintain a safe authentication procedure resulting in easy access to personal credit reports, including those of some high-profile public figures, such as the Chief Executive Carrie Lam and Financial Secretary Paul Chan Mo-po due.
The enforcement approach against data privacy breach is far less fragrant in Hong Kong compared to that in the UK. The Personal Data (Privacy) Ordinance (Cap. 486) provides for a fine of only up to HK$50,000 (doubled for any subsequent convictions) and imprisonment for up to two years for a breach of the enforcement notice by the Office of the Privacy Commissioner for Personal Data (the “Commissioner”). Compared to the GDPR which stipulates that data processors are additionally obliged to maintain records of processing, ensure security of processing and report data breaches, the Personal Data (Privacy) Ordinance does not regulate data processors directly. Investigations will only be conducted in Hong Kong if complaints of data breach are established.
The position in Hong Kong is, however, about to change. The Office of the Privacy Commissioner for Personal Data (PCPD) revealed it received 129 data breach reports in 2018, which is up 22 per cent from 2017, and 80 per cent higher than in 2014. With the outcry following recent high profile incidents such as Cathay Pacific and TransUnion data breaches, lawmakers in Hong Kong is expecting a revamp in the Personal Data (Privacy) Ordinance to empower the Commissioner with more teeth – with (a) an increased fines and penalties and (b) a broader enforcement power under the law.
Other than for the recent data breach events in Hong Kong, a tougher handling approach towards data privacy breach is anticipated in Asia. One recent example is in Singapore, where the Personal Data Protection Commission (PDPC) has fined Integrated Health Information Systems (IHiS) for lapses in securing 1.5 million patient data, including Prime Minister Lee Hsien Loong, in a security cyber attach on SingHealth in June 2018. This may be another reason why Hong Kong should expect to see more serious fines and penalties imposed in relation to data privacy breach.
With the new GDPR in force in the EU, there is an increasing demand for related insurances. Whilst in Hong Kong, following several significant cybercrime incidents, lawmakers is expected to jump on the bandwagon to strengthen data breach fines and penalties. In light of this trend, we expect to see interesting changes and development over the coming years on the current law and insurance market relating to insurance policies against data breach fines and penalties, and on cyber and data privacy related insurance in general.
AON report “The Price of Data Security – a Guide to the insurability of GDPR fines across Europe” http://www.aon.com/attachments/risk-services/Aon_DLA-Piper-GDPR-Fines-Guide_Final_May2018.pdf
CNBC. 7 November 2018. Hong Kong privacy watchdog to investigate Cathay Pacific over massive data breach. Available on https://www.cnbc.com/2018/11/06/hong-kong-watchdog-to-investigate-cathay-pacific-over-data-breach.html.
Cyber and data – policy wording by HISCOX. Available on https://www.hiscox.co.uk/sites/uk/files/documents/2017-03/13388-cyber-and-data-policy-wording.pdf.
Cyber Insurance – policy wording by Vero. Available on https://www.veroliability.co.nz/documents/wordings/cyber-policy-wording.pdf.
General Data Protection Regulation (GDPR) http://www.privacy-regulation.eu/en/article-83-general-conditions-for-imposing-administrative-fines-GDPR.htm
Information Commissioner’s Officer Monetary Penalty Notice dated 24 October 2018. Available on https://ico.org.uk/media/action-weve-taken/mpns/2260051/r-facebook-mpn-20181024.pdf
Investigation Report: HKA Holidays Limited Leaked Customers’ Personal Data through the Mobile Application “TravelBud”. Available on https://www.pcpd.org.hk/english/enforcement/commissioners_findings/investigation_reports/files/R14_6453_e.pdf.
OCED Report on Unleashing the Potential of the Cyber Insurance Market Conference Outcomes. Available on https://www.oecd.org/daf/fin/i...
Personal Data (Privacy) Ordinance (Cap. 486)
Price Waterhouse Coopers (2015): Insurance 2020 & beyond: Reaping the dividends of cyber resilience.
 See The New York Times, Google Is Fined $57 Million Under Europe’s Data Privacy Law, reported on Jan 21, 2019.
 See Forbes, How the British Airways breach will reveal the true cost of GDPR, reported on Sep 20, 2018.
 See GDPR article 83(6): Non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
 In the Full Monetary Penalty Notice, under paragraph 6, the Commissioner’s conclusion was based on the UK establishment of Facebook and in consideration of reasoning in Google Spain v AEPD  QB 1022. (See here)
 See Various Claimants v Wm Morrisons Supermarket  EWCA Civ 2339 .
 See paragraph 78 of the judgment of Various Claimants v Wm Morrisons Supermarket  EWCA Civ 2339: “There have been many instances reported in the media in recent years of data breaches on a massive scale caused by either corporate system failures or negligence by individuals acting in the course of their employment. These might, depending on the facts, lead to a large number of claims against the relevant company for potentially ruinous amounts. The solution is to insure against such catastrophes; and employers can likewise insure against losses caused by dishonest or malicious employees. We have not been told what the insurance position is in the present case, and of course it cannot affect the result. The fact of a defendant being insured is not a reason for imposing liability, but the availability of insurance is a valid answer to the Doomsday or Armageddon arguments put forward by Ms Proops on behalf of Morrisons.”.
 See the report by AON “The Price of Data Security – a Guide to the insurability of GDPR fines across Europe” in May 2018.
 Ibid 3, p.16.
 See Price Waterhouse Coopers (2015): Insurance 2020 & beyond: Reaping the dividends of cyber resilience.
 See Insurance Asia News “Cyber Insurance Market to hit US$29.2 bn in 2025” reported on June 19, 2018.
 See LMA “Cyber Risks & Exposures Model Clauses: Class of Business Review’in January 2018.
 See South China Morning Post. “Credit reporting agency TransUnion forced to suspend online services over personal data security flaw as Hong Kong leader urges fix”, published on 29 November 2018. Available here.
 See Articles 30,32-33 and 37 of the GDPR.
 See section 2(3) and 4(2) of the Personal Data (Privacy) Ordinance.
 See South China Morning Post, Data breaches in Hong Kong have jumped 80 per cent in five years, now privacy watchdog wants more power and resources to give future investigations ‘teeth, published on 31 January 2019. Available here.