Lloyd vs Google: The implications for brokers and insurers

It was the group data breach case that had insurers questioning their cyber insurance ratings models and brokers wondering about the impact.

Richard Lloyd – consumer protection campaigner and former head of Which? alleged that Google breached the data of four million Apple iphone users on the Safari browser unknowingly, under section 4 (4) of the Data Protection Act 1998 (DPA).

These users’ internet activity was tracked in secret using a cookie which was designed specifically to bypass the existing block on cookies that both Apple devices and the Safari browser has.

This allowed vast amounts of Business Generated Information (BGI) to be obtained by Google who later sold this data to advertisers between August 2011 and February 2012 without obtaining the users’ consent. 

Lloyd, who initiated the representative class action against Google had his original application dismissed on the basis that none of the iphone users suffered damage as they could not be identified.

But the Court of Appeal unanimously overturned the High Court’s decision this October deeming privacy – ”a fundamental human right”.

It said that the fact that someone has lost control of their data as a result of the actions of a third party who has used that data without their knowledge or consent has suffered a wrong that can be compensated regardless of whether they have suffered any damage.

This is irrespective of whether or not the breach has caused them any distress. 

While it remains to be seen what damages will be awarded to individual claimants, the implications of this case for any business that allows individuals’ personal data to be used or compromised outside the scope of consent of which it was obtained could see a significant increase in claims, and this causes added complications for those insuring data, as well as brokers.

Ed Lewis, partner and cyber insurance specialist at Weightmans law firm told Insurance Times that the Lloyd vs Google case highlights “the importance of privacy liability, where an individual’s data is misused.

”Privacy liability is already a big topic in the US where regulation places significant obligations on businesses. Brokers and insurers – and their clients – will now surely be wondering what the impact of this case will be on these shores,” he said. 

Loss of control

Discussions over data protection in the context of business interruption and crime are now commonplace, Lewis continued – this is down to GDPR being introduced and a number of high-profile cases.

“It’s true that the sanctity of personal data has been at the centre of cases in the past. Claimants have been able to bring cases on the grounds of having suffered a financial loss or some form of distress as a result of their data being breached.

”This meant that if a claimant was unable to prove financial harm or fear of reputation damage, for example, they would struggle to make a case for compensation,” he added.

However, Lloyd vs Google differs in one crucial way – it is a class action based on the individuals’ loss of control over their data.

“It significantly expands the circumstances in which someone can pursue a claim in a data breach, and therefore the pool of potential claimants,” Lewis said.

Taking it on the chin?

While Google is unlikely to take this ruling ”on the chin” the Supreme Court could still overturn the decision – but this outcome is unlikely, believes Lewis.

“The sanctity of data protection and privacy is a basic right that people are only just becoming alive to, and any court ruling will likely give primacy to that. However, we might see the Court placing limits on the quantum that could be awarded, and raising the bar for demonstrating loss of control, in turn narrowing the pool of potential claimants,” he said.

Explaining that the UK is in the “very early phases of understanding privacy liability exposure and its wider ramifications, Lewis said that the case will likely mean any business allowing individuals’ personal data to be used or compromised, in a manner outside the scope of the consent for which it was obtained could see a significant increase in exposure and volume of claims for loss of control.

Cyber cover as a ‘cure-all’?

Lewis expects to see a significant increase in the number of cyber policies purchased as firms scramble to mitigate this exposure.

But warned that the age-old issue of “cyber cover being seen as a cure-all” still remains.

“Businesses cannot just purchase cyber cover and then consider themselves protected against breaches. It’s important that employees are equipped from a technical as well as a behavioural standpoint when it comes to managing data, to ensure they are treating it with utmost care and attention.

”First class data governance and, in particular, cyber resilience – deficiencies in which so often result in data breaches and compromise events - are essential,” he stated.

Lewis highlighted that to accurately assess the risk that is being underwritten, both insurers and brokers need to understand the business that they are covering, who their customers are and how they and their supply chains are using their data.

“Insurers will be under pressure to ensure the businesses they’re covering are treating data with absolute care and attention,” he concluded.