Insuring against potential data violations pays, according to lawyers, but it can’t be used in isolation to guard effectively against a potential fallout.
Luckily it’s not often one hears about personal data protection breaches at advice firms but they do happen.
And mistakes can be costly. Not only can firms be fined several millions of pounds under GDPR, they can also incur regulatory fines when breaching the FCA’s data security rules.
The good news is: mistakes can happen and firms typically aren't held liable immediately. The bad news: insufficient processes and controls can create more damage than a simple fine.
According to Richard Breavington, partner and head of cyber & tech insurance at RPC, advice firms are particularly vulnerable to data breaches when it comes to monetary transactions.
"In these situations, a common target for a threat actor will be to intercept communications regarding payment involved in the transaction and to ask for it to be re-directed to a fraudulent bank account," he says.
Typically the culprit is human error, he adds. "[Such] payment diversion frauds can follow from payment details not being double-checked through a separate source, such as phoning/video-conferencing a trusted number or address.
"It can also be human error that is the root cause of the initial access by the threat actor, through responding to phishing emails and/or failing to have properly configured systems in place."
But he stresses there is no requirement in the data protection rules that organisations must not have personal data breaches, rather they have a duty to try and prevent them as best as they can, and if they occur, to act accordingly.
Meeting claims criteria
In order for a valid claim to be brought under the GDPR, it must be established that there has been a breach of the requirements contained in GDPR and that such a breach has resulted in a loss.
One of the requirements, which is mirrored in the FCA’s expectations of regulated firms, is that appropriate security measures are put in place to prevent data breaches.
Fred Snowball, partner at Macfarlaines, says the regulatory guidance is clear: firms must take proactive preventative steps and can’t be reactive when it comes to data security.
He says: “The FCA...is focusing very much on business continuity and harm to consumers, whereas the Information Commissioner’s Office’s focus is slightly different, pretty similar, but slightly different in that it's looking at the harm to individuals' data rights under the GDPR.”
He explains: “The things that regulators will be looking at are have you got proper systems and controls for verifying data whenever it's transferred outside to make sure it's going to the proper parties to catch these kind of mistakes.
“On the cyber attack side, have you got proper IT protections, have you got disaster recovery plans, all that kind of thing.
