Thought leadership

GDPR three years on: 90% of security leaders concerned about data breach litigation

Increased rights for data subjects under GDPR mean security leaders are now more concerned about legal settlements than regulatory fines

London, UK – 25th May 2021 – Research by Egress has revealed that an overwhelming 90% of security leaders are concerned about group legal settlements following a serious data breach, compared to 85% who are worried about regulatory fines. Launched to commemorate three years of GDPR, the research also found that almost half (47%) of consumers would likely join a class-action lawsuit against an organisation that had leaked their data, proving security leaders’ fears to be accurate.

In response, 91% of security leaders are turning to cyber insurance to protect themselves from financial exposure by either taking out new policies or increasing their cover because of GDPR.

The survey, independently conducted by OnePoll on behalf of Egress, interviewed 250 security leaders and DPOs in the UK and 2,000 UK consumers.

Key insights include:

  • 90% of security leaders are concerned about class action by data subjects in the event of a serious data breach, whereas 85% are concerned about regulatory fines
  • Almost half (47%) of UK consumers say they’d join a class-action lawsuit against an organisation that had leaked their data
  • 91% of security leaders reported taking out cyber insurance, or upgrading their policy, as a result of GDPR
  • 67% of UK consumers are aware that they have the right to take legal action against an organisation that suffers a breach that exposes their personal data

Egress CEO Tony Pepper comments: “The financial cost of data breach has always driven discussion around GDPR – and initially, it was thought hefty regulatory fines would do the most damage. But the widely unforeseen consequences of class action lawsuits and independent litigation are now dominating conversation. Organisations can challenge the ICO’s intention to fine to reduce the price tag, and over the last year, the ICO has shown leniency towards pandemic-hit businesses, such as British Airways, letting them off with greatly reduced fines that have been seen by many as merely a slap on the wrist. With data subjects highly aware of their rights and lawsuits potentially becoming ‘opt-out’ for those affected in future, security leaders are right to be nervous about the financial impacts of litigation.”

Lisa Forte, Partner at Red Goat Cyber Security LLP, comments: “The greatest financial risk post breach no longer sits with the regulatory fines that could be issued. Lawsuits are now common place and could equal the writing of a blank cheque if your data is compromised.

European countries haven’t typically subscribed to a litigious way of regulating the behaviour of companies. That is now changing and without explicit Government intervention companies will need to accept they need deeper pockets to cover the lawsuit gold rush we are starting to see.

The recent Google case that currently sits with the UK Supreme Court could make group claims “opt out” instead of “opt in”. That will inevitably mean that every single customer affected would be entered into the group action. That should be a huge worry for companies.

Companies need to really prioritise preventative measures both technical and human and have a tested incident plan in place.”

Eric Bedell, Luxembourg’s DPO of the Year 2020, comments: “When enforced back in 2018, GDPR set the tone of how use of personal data should be regulated. When regulatory fines have been in the news (and often used as a trigger for GDPR implementation), there is a lesser-known aspect: the right to take legal action against an organisation, not only for data breaches, but also for failure to erase personal data, to rectify, to respond to Data Subject Access Requests (DSARs) or to provide portable information.

If in the United States, under CCPA, we have seen many actions, in Europe this is not (yet) widely used. However, I predict that this will grow as this right to take legal action becomes more popular - especially knowing that the ICO publishes a web page to provide guidance for data subjects taking such action. As a firm this is a risk you want to consider, maybe more than regulatory fines, in my view.”

Edina Csics, GDPR & Data Protection Consultant at GIS-Consulting bvba, comments: “While cyber insurance might cover the financial damage caused by a data breach, it won’t help recover any reputational damage done. I hope that the 91% of respondents that have changed their cyber-insurance policies in response to GDPR have also considered doing the right thing by putting more serious measures in place than click-through employee security training and remediating their loosely implemented security technologies in addition to, and not instead of, taking out cyber-insurance. Data breaches do occur, and it’s a matter of when and not if, but in many cases these could be prevented.

But whatever their motivation, be it fearing collective lawsuits or regulatory fines, in taking steps to avoid financial damage, their actions may play in favor of consumers and the protection of their data.

Having said that, looking at the past activity of the ICO and its enforcement habits, I am inclined to understand why security leaders are more worried about the actions of those who are directly impacted – the data subjects whose personal data is subject to their not-quite watertight security measures – and those data protection activists that have an even higher drive to prove that there is more organisations can do to guard personal data.”

About Egress

As advanced persistent threats continue to evolve, we recognize that people are the biggest risk to organizations’ security and are most vulnerable when using email.

Egress is the only cloud email security platform to continuously assess human risk and dynamically adapt policy controls, preparing customers to defend against advanced phishing attacks and outbound data breaches before they happen. Leveraging contextual machine learning and neural networks, with seamless integration using cloud-native API architecture, Egress provides enhanced email protection, deep visibility into human risk, and instant time to value.

Trusted by the world’s biggest brands, Egress has offices in London, Sheffield, Cheltenham, New York, Boston, and Toronto. In April 2024 KnowBe4, the provider of the largest security awareness training and simulated phishing platform, entered into a definitive agreement to acquire Egress.