The Information Commissioner’s Officer (ICO) is intending to fine the Marriott International hotel group £99.2m for breaching data protection law after exposing 339 million of its guest’s personal data, discovered last November.
In a statement released online, the ICO said it intended to impose the fine for infringing GDPR and that it will “consider carefully the representations made by the company and the other concerned data protection authorities” before it makes a final decision.
But with a fine so large, coming so soon after the ICO announced it was fining British Airways (BA) £183m, will cyber insurers step in to pay these fines?
On whether the fine is covered by insurance, Clive O’Connell partner at McCarthy Denning, said that Marriott has cyber insurance – the question of whether any fine is covered is a vexed one.
He said that the policy needs to be looked at first stating that “many will cover fines provided that the cover of fines is allowed” but this may not be the case for all countries.
He told StrategicRISK’s sister title, Insurance Times: “In English law there is a rule that one cannot insure against one’s own wrongdoing. Clearly one cannot insure against a criminal sanction. That is against public policy. One can almost certainly not insure against a civil fine for one’s wrongdoing. The question is whether one can insure for a strict liability penalty.
“This is a fraught question and one that has not been tested in the context of GDPR. Most commentators believe that such fines will prove uninsurable. That said the size of the Marriott fine is such that, if insurance exists, we may well see this challenged in court
Flexing its muscles
Cyber security consultancy Mactavish said that the ICO is “flexing its muscles” in relation to the two fines – BA and the Marriott.
Bruce Hepburn, chief executive at Mactavish, said: “Two ICO announcements of this magnitude in quick succession make clear the landscape is seriously changing. This should be a clear sign to companies that they need to have robust programmes of insurance in place that can respond to the defence of an ICO investigation.”
“Companies should not just assume cyber insurance will provide cover – the reality is far more complex than that. Cyber insurance can be incredibly valuable to hold in this scenario: even though ICO fines are broadly uninsurable in the UK, good cyber insurance will go so far as covering defence costs, customer compensation and various wider costs of responding to a data breach incident.
“Legal defence costs in particular are likely to be significant if fines continue to escalate, especially where ICO decisions are contested as looks likely in the current cases of BA and Marriott. So, companies need to ensure that the levels of insurance cover that are in place are meaningful. Companies should ask themselves whether they are buying enough insurance to cover these costs and all the expenses that can be incurred in the event of a breach,” he continued.
“But Cyber is also a relatively immature and highly complex insurance product. There are enormous differences in what policies do and do not cover and how that cover works. The circumstances of Marriott International’s data breach – discovered recently, but occurring many years ago, before Marriott’s acquisition of the company – could create multiple challenges to securing cover.
“Companies facing similar situations might be surprised to find out that the cyber insurance they purchased was not as reliable as they supposed. This type of situation could also bring up issues around historic non-disclosure, where the legal duties applying to buyers of insurance have changed since the Insurance Act came into force in 2016 and insurers have recently been gearing up to take more such objections on claims supported by guidance from the Lloyds Market Association,” Hepburn added.