GDPR is set to be the next claims cash-cow

Data breaches could be the next big money-spinner for claims management companies now that the General Data Protection Regulation (GDPR) has come into force.

Under GDPR, which became law on 25 May, customers whose data has been compromised will be able to lodge claims for compensation even if they have suffered no direct financial loss as a result.

Raf Sanchez, international data breach manager at Beazley, told StrategicRISK’s sister title. Insurance Times that, with PPI winding down, claims firms would likely be turning their attention to GDPR. “There’s an army of lawyers who did PPI claims who are looking for something else to do,” he says.

And one of the first tests could be Dixons Carphone after recently suffering two of the biggest data breaches in UK corporate history. 

The retailer’s data woes began three years ago when 2.4m Carphone Warehouse customers’ records were accessed by hackers, triggering a £400,000 fine by the Information Commissioner’s Office (ICO) – then the joint largest ever handed out by the watchdog.

But the scale of this earlier breach was dwarfed by Dixons’ admission last month it had discovered during a review of its systems and data that there had been an attempt to secure unauthorised access to 5.9m cards held in the processing systems of Currys PC World and Dixons Travel stores.

The good news for the UK’s market leading electrical goods retailer is that 5.8m cards had chip and pin protection, meaning that the cardholder could not be identified or purchases made using them. The remaining 105,000, which lacked these safeguards having originated outside of the EU, were more vulnerable.

The company also revealed that 1.2m non-financial records, including postal and email addresses that fraudsters could use to build fake IDs, had also been accessed.

Matt Palmer, senior director for cyber risk solutions at Willis Towers Watson, says: “You are talking about 6 million payment cards: one in 10 in the country. That’s an enormous amount of data. The potential for misuse of that data is significant.”

The embarrassment over the scale of the recent incident is compounded by Carphone Warehouse’s previous breach.

Sanchez says: “They have suffered a big breach and been fined previously: from the perspective of customer trust it’s not great.”

Airmic technical director Julia Graham says Dixons has responded well to the breach: “They came quite quickly out of the box. They picked up the problem and dealt with it.”

Organised crime

And, so far, no financial losses have been traced back to the compromised records. But that doesn’t mean that the company is out of the woods, says Palmer: “In the past these types of attacks were put together by independent hackers or disgruntled employees. We are (now) seeing organised crime getting involved.

“We can’t assume that no action has been taken with the information. The data can be sold on the black market to build a profile that can be used to commit fraud. The combination of multiple events is likely to make it easier for the bad guys. Obviously, the onus is on Dixons to ensure that they communicate effectively with consumers.”

For now, the absence of serious consumer detriment resulting from data losses has bred complacency around the issue, says Graham: “What will shake people out of this is if there is no chip and pin protection. It will take only one breach where data is exposed, there is a fraudulent act, and people will change their minds.”

That Dixons has suffered a second large data breach will have prompted disquiet amongst cyber insurers, says Max Perkins, senior vice-president in the global technology & privacy practice at brokers Lockton.

Generally companies that have had a breach or a hack are regarded as a better potential risk because they had upgraded security, he says: “Cyber insurance underwriters normally take the view that if you have had a breach you will have generally learned the lessons and therefore you are a better risk going forward. This may challenge that school of thought.”

The Dixons breach is the first significant such incident to have hit an organisation since the implementation of the EU-wide GDPR. Just the stress due to the risk of being exposed to a fraud could be sufficient to mount a claim.

Sanchez, who is expecting a text message inquiring if he is a Dixons customer, says: “There’s an army of lawyers who did PPI claims who are looking for something else to do, especially where you have a big breach. Even if only 5% go ahead it’s a big chunk of potential fees.”

Perkins agrees: “Lawyers will want to test the courts around GDPR because it’s a revenue opportunity.”

The increased awareness about data security resulting from the way inboxes have been bombarded with emails about GDPR is likely to trigger more claims, says Graham.

The level of potential financial penalties has increased under GDPR, allowing regulators to impose fines of up to £20m or 4% of a company’s total turnover, whichever is higher.

Dixons has said the breach originated in July last year, well before the GDPR go-live date, with subsequent breaches stemming from this incident.

While the ICO is expected to give companies time to gear up to GDPR, its patience will be limited, says Graham: “It may reach a point where they are not so generous, especially if things go wrong.”