Insuring data risks can appear daunting with businesses needing to satisfy a range of obligations in terms of compliance, storage, access, and reporting when data breaches occur.

Therefore, it is  essential for businesses to meticulously review their insurance policies.

In 2024 the ICO , the UK’s data protection regulator, completed 36,049 data protection complaints and 7,448 Freedom of Information complaints including 179 investigations resulting in fines totalling £1,270,000.

Ensuring compliance with data regulations is a worldwide concern and since its implementation in 2018, the General Data Protection Regulation (GDPR) has become the cornerstone of data privacy laws across the European Union leading to a number of significant fines. These include Meta (Euros 1.2 billion), Amazon (Euros 746m) and Instagram (Euros 405m).

When arranging insurance it is important  to recognise the exact cover for data breaches, will vary from policy to policy, and it is crucial for businesses to clearly understand what is included and excluded.

Here is an overview of the types of cover available:

• Public Liability (PL) with Data Protection Act Breach Extension

With the Data Protection Act Breach Extension, PL insurance can provide basic third-party coverage for claims under data protection laws. However this excludes first-party costs and any professional negligence claims. It can be arranged to cover operational risks such as third-party claims for bodily injury or property damage.

While it can deal with compensation claims for unauthorised sharing of customer data due to a physical theft of files, it will not cover claims caused by a cyber event, breach of professional duty or breaches  involving financial losses only,  such as loss of revenue due to stolen client data. It does not cover fines and penalties under GDPR or other regulations and  forensic investigations or breach notifications first party costs

• Professional Indemnity (PI)

PI with Breach of Confidence Extensions (or Civil Liability Wordings) can be used to address professional negligence-related breaches, making it critical for professionals who handle sensitive information or provide advisory services  such as law firms, consultants, accountants, and other professional service providers. It can address professional negligence-related breaches not covered by Cyber Insurance.

Where the PI is extended to include ‘breach of confidence’,  it can also cover the policyholder for inadvertently sharing their customers sensitive business plans and financial forecasts data with a third party.

It will not cover breaches caused by malicious cyberattacks, hacking, or ransomware (excluded under cyber clauses like IUA 09-081/082), claims unrelated to professional negligence, such as employee misconduct leading to a breach. First-party costs, including forensic investigations or breach notifications, are excluded.

• Cyber Insurance

This cover is essential for mitigating operational risks from cyber incidents, particularly first-party costs and malicious events but does not replace PI for professional liability / breach of confidence claims  where other sensitive (non-personally identifiable) information is at risk. Comprehensive cover for cyber risks, can include first-party costs and third-party liabilities related to cyber incidents including costs for breach notifications and forensic investigations following a ransomware attack.

It can also include compensation for business interruption due to a system outage caused by unauthorised access and claims related to malicious cyberattacks or accidental data disclosure, particularly personally identifiable information.

W Denis offers companies expert support and risk management solutions to protect supply chains and business operations. Professional risk exposures are evolving and it is important that businesses review their insurances, for suitability, using a specialist broker. To discuss this further with a broker at W Denis, please make arrangements with Daniel Moss at [email protected] or on 0044 (0)113 2439812 or contact Mark Dutton at [email protected] or on 0044 (0) 7831 366 469.