Clyde & Co have sent us a range of predictions for 2021;
Cyber litigation will be the new battleground in 2021
by Seaton Gordon, Legal Director, Clyde & Co, London
Group claims (and potentially class actions) flowing from data breaches could become the new PPI in 2021.
The legal barriers to individuals bringing claims for loss of their personal data have been reducing in recent times. The timing coincides with growing consumer awareness and distrust about how their data is monetised and used, and at a time when newsworthy data breaches are becoming more frequent in occurrence.
Claims management companies and claimant law firms have been circling the potentially lucrative market in data privacy group action claims for some time. So far, however, there have been limited opportunities for them. But the ICO’s GDPR fines levied against British Airways, Marriott and Ticketmaster changes the situation, provides the claimant market with an opportunity to seek to leverage an adverse regulatory decision to bring claims, as they successfully did with PPI misselling cases.
The final piece of the puzzle could be a positive outcome for Richard Lloyd in the Lloyd vs Google data protection case that goes before the Supreme Court in early 2021. If Mr Lloyd wins, it will confirm that individuals are, in principle, entitled to compensation if a controller has lost control of their personal data, potentially taking the law closer to strict liability for data protection breaches. Moreover, it could potentially open the floodgates to ‘class actions’ with a surge of US-style opt-out ‘representative’ actions likely to follow.
The threat of a class action claim brought by experienced claimant lawyers seeking to leverage a regulatory sanction will raise the stakes for any organisation that suffers a large and newsworthy personal data breach. For now, these organisations typically face reputational damage linked to negative headlines, potential loss of consumer confidence and, in all likelihood, a data protection regulatory fine. While these outcomes are unfortunate, they are not ruinous.
However, a surge of low value compensation claims from hundreds of thousands or even millions of individuals could cripple an organisation. The cost and burden of dealing with such a scenario represents a significant, and long-tail, risk to organisations’ financial viability and their reputation. With this threat on the horizon, data breach based group claims (and potentially class actions) are a risk that should be high on the risk radar next year.
Will the UK be ‘adequate’ in 2021?
Helen Bourne, Partner, Clyde & Co, London
It remains unclear whether the EU will decide whether the UK’s data protection regime will be granted ‘adequacy’ status after Brexit. If it does not, Britain’s businesses, and their insurers, will need to be on alert.
Organisations that rely on personal customer or employee data flowing between the UK and the EEA should be planning for a ‘no deal’ scenario to ensure that their data processing agreements are compatible with a new data privacy regulatory landscape.
Whatever agreement is reached over the terms of the UK’s exit from the EU, there will be implications for data protection regulations, in particular those governing data flow from the EEA to the UK, and internationally from 1st January 2021.
From this date onwards, the GDPR will cease to be law in the UK. It will be replaced by the new ‘UK GDPR’, created by the Data Protection and Privacy Electronic Communications (EU Exit) Regulations 2019 (‘DPPEC’), passed under section 8 of the EU Withdrawal Agreement.
Although the UK GDPR has incorporated almost all GDPR provisions verbatim into UK law, and both the UK and the EU have expressed a wish to minimise disruption post the transition period, it is still unclear if the EU/EEA intends to afford the UK ‘adequacy’ status. Without this status, continued uninterrupted free flow of personal data between the UK, the EEA and internationally will not be possible. Because two sets of rules will apply, complexity will be created when transferring and holding UK and EEA data as well as when managing cross-border data breaches.
Given the ongoing lack of clarity over Brexit and its longer-term impact on data privacy laws, UK organisations that rely on the continued cross-border data flow should keep abreast of updates from the ICO. Data privacy regulatory changes are likely, so it will pay to be on top of the detail and to have professional advice on hand to ensure compliance with the new data privacy requirements from 1 January 2021.
Ransomware payments will be more closely scrutinised in 2021
David Méheut, Partner, Clyde & Co, France
There has been a steep rise in ransomware attacks in 2020, and the legality of paying ransomware fines will be under increasing legal and potentially even political scrutiny in 2021.
Ransomware attacks rose 50% this year. This exponential rise is resulting in growing regulatory attention as significant amounts of money are diverted by criminal organisations but also by state-sponsored threat actors and also potentially terrorists. This new scrutiny raises the spectre for insureds and cyber insurers alike that ransomware payments may be found to breach international sanctions, money laundering and anti-terrorism laws.
In October, the US Treasury’s Office of Foreign Assets Control (OFAC) issued new guidance to companies that clarify the framework for ransomware payments by victims, insurers and other service providers involved in breach response services. The advice warned that such payments may be violating OFAC regulations and could be encouraging further attacks.
OFAC also warned that it may impose civil penalties for ransom payment sanctions violations based on ‘strict liability.’ This means that anyone found in breach may be held liable, even if they were unaware that the payment had broken US sanctions law.
Other Western regulators are also turning their attention to ransom fine payment as political concerns grow over where payments are ending up.
Heightened regulatory scrutiny poses a significant risk to both insureds and their insurers. There needs to be increased clarity over what are acceptable payments and what are not. There will also be a requirement for enhanced checks and precautions to be undertaken to ensure compliance with all international regulatory requirements before any ransom fines are paid in 2021.
2021 will see re/insurers getting back to nature
Nigel Brook, partner, Clyde & Co, London
2021 will see the launch of the Taskforce on Nature-related Financial Disclosure.
Operating in parallel with the TCFD (Taskforce on Climate-related Financial Disclosure), the role of this new government-funded taskforce will be to establish a framework to support businesses to make nature-related financial disclosures by the end of 2022.
Businesses expected to be most impacted by the new requirements will be global or national businesses whose supply chains impact natural resources including forestry, water or local populations. As the taskforce formulates a framework around nature risks (including physical, regulatory, market and reputation risks) so the financial consequences will be brought more sharply into focus. As with TCFD, reporting is likely to remain voluntary until the financial impacts of nature risk capture investor and public attention – likely within the next five years.
Examples of some nature-related risks already in the public domain include the BP Horizon platform oil spill, the collapse of the Vale tailings dam, the liabilities and subsequent bankruptcy of PG&E post the California wildfires and ConocoPhillips’ re-freezing of artic permafrost to facilitate ongoing oil drilling.
From an exposure perspective, the attention of re/insurers is likely to focus on nature-related litigation, damages, compensation requirements, pollution impacts and changes in regulation and reporting requirements. Re/insurers will also be aware that damage to the natural world will accelerate climate change and reduce our capacity to mitigate it. Longer term, the likely inability of nature-damaging companies to attract finance will impact the investment side of the re/insurance balance sheet.
The re/insurance industry is unlikely to welcome further regulatory insight. However, as the global economic impact of nature losses and the associated decline of ecosystem services (water, energy, food and carbon sequestration) is made clear, so the industry will need to be ready to respond.
We predict that 2021 will be the year in which nature loss and climate change combine in the industry and public consciousness as one of the most significant inter-linked systemic risks facing humanity, business and the global economy.
2021 will see regulators adopt a united front on climate change
Jacinta Studdert and Nigel Brook, partners, Clyde & Co, London
The change of administration in the US will super-charge the hotly anticipated global climate change conference, COP26, which will now take place in Glasgow in November 2021. In particular, it will accelerate the willingness of insurance and banking regulators around the world to co-operate in setting expectations and enhancing regulation regarding climate risk.
US regulators are increasingly focusing on the topic. For example the US Federal Reserve has applied to join other banking and insurance supervisors in the growing Network for Greening the Financial System (NGFS) – a “coalition of the willing” committed to managing financial risks from climate change. New York’s Department of Financial Services, which joined in 2019, recently told the state’s banks and insurers that it expects them to integrate climate risk into their governance, risk management and business strategies (broadly in line with the Bank of England’s approach). 2021 will see more developments on this front.
In Europe EIOPA is urging national regulators across the EU to ensure insurers take a longer-term view on the climate risk they face and integrate this into their risk assessment and strategic planning. Expect climate risk scenarios to be adopted across the EU and, ultimately, reporting to be made mandatory.
In Australia, Covid forced ASIC to pause its rollout of vulnerability assessments on climate change for banks and insurers. They should come out during 2021.
UK regulators have been leading the way. Authorised re/insurers will have to meet the expectations set out in Supervisory Statement SS3/19 by year end and the very largest of them will take part in the BoE’s Biennial Exploratory Scenario (BES), involving detailed climate stress tests. UK re/insurers will also be gearing up for TCFD-aligned disclosures, which will become mandatory for most of them by 2023.
Against this backdrop, we predict 2021 will be the year when re/insurers in many more countries will be making plans to improve climate governance, strategy and risk management.
Ten features will set top re/insurers apart in 2021
Dean Carrigan, Partner, Clyde & Co, Australia
As the industry gears up to deliver against the heightened expectations around climate change that COP 26 will set in train, we predict ten factors will differentiate global best in class re/insurers from the pack.
1 – The tone at the top will focus consistently on the risks and opportunities of a changing climate.
2 – Re/insurers will focus not just on their own action on climate change, but will raise expectations of employees, clients and other stakeholders including agents, brokers and third-party service providers.
3 – There will be a genuine whole of business appetite to understand and quantify the impact of physical, transitional and liability risks arising from climate change and increasing weather and natural catastrophe exposures.
3 – Significant investment will be made in mining and analysing deep scientific data to build understanding of the financial risks and exposures of the underwriting business.
4 – Climate change will be hard-wired into re/insurers’ operational and risk management frameworks.
5 – There will be genuine engagement with the community and customers to educate and foster an understanding of the benefits of adopting pre-loss risk reduction and mitigation steps.
6 – Re/insurers will develop incentives to drive insureds to adopt climate mitigation steps and acknowledge and reward insureds.
7 – Leading re/insurers may go so far as to offer premium adjustments and no-claims bonuses in recognition of action taken by clients.
8 – Product development will go into overdrive and will likely include the widespread rollout of parametric/index type indemnity trigger policies to the retail consumer market.
9 – Product extensions may include practical and mental health support services for businesses in the post loss claims environment.
10 – There will be a focus on technical and soft skills development among underwriting and claims staff and a shift in recruitment focus to ensure businesses have the skills required to build on climate change momentum.