Skip to main content

Article

The changing approach of the ICO to enforcement and its consequences for cyber insurance

John Edwards’ appointment as the ICO’s UK Information Commissioner brought in a new philosophy for regulation and enforcement. What are the consequences of the reform on cyber insurance?

Aerial view green forest with car on the asphalt road, Car drive on the road in the middle of forest trees, Forest road going through forest with car.

January 2022 saw John Edwards appointed as the ICO’s new UK Information Commissioner. Edwards’ installation ushered in a new philosophy for regulation and enforcement, which has been heralded as one of transparency, proportionality, and accountability[1]. However, the ICO’s revised direction could potentially increase litigation as heightened transparency can provide claimant law firms with added information to pursue claims. Consequently, the frequency of cyber insurance policy claims could also possibly rise.

What has changed?

Enforcement utilises a range of tools including: warnings, reprimands, compliance orders, bans on processing, and fines among others. Application of these powers depends on the severity of the incident and mitigating actions taken. In addition to publishing enforcement notices, fines, and summaries of audit reports, reprimands will also be published; retroactively dating from January 2022. The rationale for publishing this information is that regulatory action should be a source of education for every organisation. Fines, whilst headline-grabbing and quantifiable, should be secondary to remedial action by reprimanded organisations seeking to correct bad practices. This is what the ICO defines as regulating for outcomes, not outputs.

For 2022, a significant number of reprimands issued were against public organisations; with over 80% penalised in the public sector[2]. The ICO’s reformed regulation will promote a reduction in fines against public bodies in favour of a more conciliatory approach. This will initially be carried out on a two-year trial period. The ICO believe large fines are ineffective when imposed in isolation, particularly against public sector organisations who pay fines directly from their budget for delivering public services.[3] Additionally, the ICO can indicate the fine they could have issued under the previous system to help quantify the severity of incident.[4]

There is also limited evidence, across different industries, to demonstrate fines alone are sufficient to modify behaviours[5][6][7]. The ICO will continue using fines - especially for the most severe and harmful breaches or if companies have profited from non-compliance with UK GDPR. However, public reprimands will certainly result in examples of poor data protection practices receiving wider exposure. Organisations that notify incidents to the ICO should be aware of this and the potential ramifications.

Unintended consequences?

Reprimands clearly identify the penalised organisation’s name, duration of infringements, and scale and number of data subjects affected. A reprimand forms evidence of breaching UK GDPR regulations and is a possible foundation for legal action. Incident datasets can subsequently be stratified to find cases ‘worth pursuing’ that will likely generate successful liability claims. Typical sums awarded in claims for less serious breaches of UK GDPR start in the hundreds of pounds. However, for incidents involving thousands or millions of impacted data subjects, the financial impact of claims can be incredibly severe.

Cyber insurance policies generally include coverage for: damages, defence costs, regulatory defence expenses, and regulatory fines incurred as a consequence of a privacy breach. Insurers will be conscious that an increase in reprimands will inevitably proliferate liability claims brought against organisations. Although data security standards have increased dramatically, breaches are inevitable. Currently, 95% of cyber incidents are caused at least partially by human error[8], even organisations with excellent cyber security controls are not infallible.

What does this mean for your organisation?

The ICO’s role is to uphold information rights in the public interest. The regulatory action it takes is a crucial strategy to ensure the protection of data. While the ICO wants to regulate for outcomes, it also wants to build cooperation and trust; which should be welcomed. However, the public nature of reprimands are likely to result in increased litigation. This, subsequently, potentially raises the costs of dealing with data breaches and lengthens the time required to fully resolve incidents.

A robust response to a cyber-incident - coupled with plans to mitigate impact and bolster security going forward - reduces the opportunity for criticism by both the ICO and claimant law firms. Regulatory developments make it crucial to seek expert advice when incidents occur. Handling the content of notifications to the ICO is imperative to ensuring all parties remain compliant to an increasingly complex regulatory environment.

 

[1] How the ICO enforces: a new strategic approach to regulatory action | ICO

[2] Reprimands | ICO

[3] Open letter from UK Information Commissioner John Edwards to public authorities | ICO

[4] dfe-reprimand-20221102.pdf (ico.org.uk)

[5] Do fines change the behaviour of financial firms? (finextra.com)

[6] Frequency of enforcement is more important than the severity of punishment in reducing violation behaviors | PNAS

[7] A Fine is a Price | The Journal of Legal Studies: Vol 29, No 1 (uchicago.edu)

[8] WEF_The_Global_Risks_Report_2022.pdf (weforum.org)

Meet the authors

Helen Nuttall

Helen Nuttall

Head of Cyber Incident Management

  • United Kingdom

Alasdair Paterson

Alasdair Paterson

Cyber Incident Management Specialist

Patrick Cannon

Patrick Cannon

Head of Cyber Claims Advocacy