Cyber Liability: Data Breach in Europe (1)
HOW often has your data been hacked? Have you received a notice from your bank recently about suspicious transactions? Have you already adapted to the "new reality" of data (in)security?
Although the topic of cyber security is much broader than the data breach example, the media focus is usually on data breaches, which occur at a higher frequency than other cyber events. Ransomware attacks, where hackers encrypt data on the targets' computers and only release it in return for the payment of a ransom, have increased substantially in the last couple of years. However, data breaches have so far generated the majority of the cyberrelated insurance claims, which is why we limit the scope of this article to those types of events.
While data breaches might have become commonplace, their effect on the breached entity (and the affected individuals) are often far-reaching. The majority of headline-making data breaches have occurred in the United States, but cyber-attacks are a global issue, affecting the economy worldwide. The recently implemented new European General Data Protection Regulation (GDPR) (2) is expected to lead to more reported cyber events in the European Union.
This article looks at the consequences of a data breach in Europe and compares the situations in Europe and the U.S. with regard to the major features of such an event. Watching the case law developing, in particular in the UK which has taken some landmark decisions in this area, is also an indicator for where Europe seems to be heading. The UK intends to fully implement the GDPR in spite of Brexit. (3)
The cyber insurance market is growing constantly, but the penetration of cyber coverage is still small relative to the value of the tangible and intangible assets that could be impaired by a cyber security breach. (4) According to an AON/Ponemon study, in 2015 only around 12% of information assets were covered by insurance. (5) Since then, the market has grown, but a huge protection gap still remains.
What is a data breach and why is coverage so critical?
One of the current problems for data owners is that they often have no control over where their data actually goes. Service providers manage the data, and many of these providers use sub-contractors for certain tasks. This is the reality of the connected world in which we live; data is stored in different places way beyond the control and the reach of the data owner's judiciary. (6) The perpetrators' methods are similar, irrespective of where the data breaches occur. The targets of cyber-attacks are often companies that store large volumes of data for themselves, or for third parties.
The most frequent data breaches involve personal information like names, addresses, credit card and account numbers, health insurance numbers, PIN-codes, Social Security numbers and other financial information of a large number of individuals. It is important to note that although laws give a definition of what personal data is (usually any information allowing to identify the person directly or by combining data elements), these laws keep changing. Courts around the world continue to broaden those definitions. For example, a zip code has been considered personal data, and so has a person's browsing history on Google. (7) Furthermore, the European Court of Justice decided on October 19, 2016 that IP addresses may now also be considered "personal data". (8)
A "breach" of such data takes place when unauthorized individuals view, copy, steal or use such information in any other way.
Who are the (h)actors and what are they after?
Hackers' motives can be several, such as fun, political, religious, or--presumably most often--financial gain. Behind most of the publicly disclosed cases (e.g. Target, Ashley Madison, Equifax, Uber), these unauthorized individuals were supposedly professional hackers. (9)
The so-called "dark net" (10) has become a lively market place for stolen data that can be used for identity theft, credit card fraud, and other criminal activity.
Identity theft is when criminals use someone's name, credit rating, health insurance number, or any other stolen data to gain a financial advantage in that person's name, including obtaining goods, services, credit or other benefits.
Credit card fraud is a particular form of identity theft, involving a payment card as a fraudulent source of funds in a transaction. The purpose may be to obtain goods without paying, or to obtain unauthorized funds from an account. (11)
Extortion cases are not limited to so-called distributed denial of service attacks (DDoS) or ransomware attacks, but also take place in connection with data breaches. In such cases, the hackers steal data and threaten to disclose it publicly unless a certain sum of money is paid, (12) often in bitcoins. This is often easy and quick money for the hackers because they don't need any infrastructure to "monetize" the stolen data.
Cases of cyber espionage, including IP theft, whether against private companies, states or governmental institutions, take place, too, but rarely become public. Usually, these situations do not give rise to large insurance claims. This article, therefore, does not look at such events.
Reaction to a data breach
When an entity...