ECJ GDPR rulings could open cyber litigation ‘floodgates’ as more companies turn to cell captives, predicts Clyde

Clyde & Co believes 2023 will be a decisive year for data breach litigation in the EU, and decisions by the European Court of Justice (ECJ) could “open the floodgates” for claims after larger cyber incidents.

In predictions for the year ahead, the law firm also expects a jump in the number of companies using cell and traditional captives to manage cyber risk.

Jan Spittka, partner at Clyde & Co in Düsseldorf, said damage claims for GDPR infringements are on the rise and there are multiple court decisions scheduled for 2023 that will determine whether a data breach claims industry focusing on cyber incident-related damage claims will emerge.

He explained that cyber breach notifications obligations can require organisations to disclose non-compliance with the GDPR, for example over a lack of appropriate security measures, which could give rise to damage claims by affected individuals under Article 82 of the regulation.

“We already see attempts by an alliance of experienced claimant law firms, litigation funders and legal tech companies trying to commercialise cyber incidents by compiling large volumes of individual claims. In Germany we have seen the first courts awarding €1,200-€2,500 in non-material damages per affected individual. The courts linked the damage to the risk that exfiltrated data could be used for identity theft. The claimants did not have to prove actual identity theft or fraud. The loss of control over personal data was sufficient,” he said.

“Whether these cases could open the floodgates to damage claim litigation after every larger cyber incident depends on how the European Court of Justice (ECJ) positions itself on fundamental questions on the interpretation of GDPR damage claims,” he added.

And it seems we may begin to see the direction of travel as early as next year. Spittka said nine cases on Article 82 of the GDPR are currently pending with the ECJ. The main focus of these cases is whether a GDPR infringement alone is sufficient to award non-material damages or whether there is a de minimis threshold requiring the claimant to demonstrate they developed concerns, fears or anxieties due to the loss of control over personal data, he explained.

Spittka said other key questions in front of the ECJ are dealing with the burden of proof when it comes to different requirements under Article 82.

“Even though the advocate general at the ECJ tends towards restrictive interpretation of non-material damages in the opinion on the first of the cases, this approach is not binding for the judges. How the ECJ will decide on GDPR damage claims in 2023 will be key for data breach litigation throughout the EU,” he said.

So risk managers will need to keep a close eye on the ECJ rulings in this critical area.

Meanwhile, Jesus Iglesias, partner at Clyde & Co in Madrid, said (re)insurance capacity for cyber insurance is shrinking and alternative capital is reluctant to commit to the class due to the volatility of the risk. As a result, Clyde and other experts expect more companies to turn to captives to cover cyber risk.

“Buyers who feel they understand their cyber exposures better than their insurers are considering putting premium spend into setting up captive insurers, securing as much reinsurance behind the captive as possible, and effectively insuring the risk themselves,” said Iglesias.

But captives aren’t always viable for smaller firms that are being squeezed between a lack of insurance market options and difficulties in self-financing the risk. In response, Iglesias predicts there will be a rise in the number of companies using cell captives, which are cheaper and easier to create, to transfer cyber risk in 2023.

“While the cost of establishing a standalone captive insurer remain prohibitive to all but the largest companies, the ready availability of cell companies in offshore jurisdictions with passporting rights into the EU suggests that an increase in the use of cell captives to write cyber and other risks is highly likely,” he said.

Back to top button