Opinion

Insuring data breach liabilities – how different policies can stack up and the problem of late notification

Insuring data breach liabilities how different policies can stack up
Published Date
May 16 2025
An English Court has recently decided that three insurance policies covering the same loss – data breach settlements arising from an incorrectly addressed email – provided a combined, cumulative limit of indemnity. While the Court’s judgment focuses on the nuances of “other insurance” clauses, it demonstrates that cover for data breaches is not always confined to cyber insurance, and that it is important to comply with claims notification provisions under all potentially relevant policies. The judgment is also notable for the projected financial exposure from the incident (more than £6 million arising from settlements with approximately 1,000 data subjects).   

Background

In March 2020, an employee of the Claimant housing association inadvertently disclosed the personal data of approximately 3,500 tenants and employees to approximately 3,000 recipients. This prompted approximately 1,000 complaints and settlements which are expected to exceed £6 million.

At the time of the incident, the Claimant has three relevant insurance policies:

  • A Cyber Policy with a £1 million aggregate limit
  • A Combined Policy (i.e. a policy covering various exposures) with a £5 million aggregate limit
  • A Professional Indemnity or “PI” Policy with a £5 million aggregate limit

Relying on advice from the Defendant insurance broker, the Claimant promptly notified the incident under the Cyber Policy. However, the Claimant only notified Combined and PI Policies at a later stage, after the periods of cover for those policies had expired. The insurers of those policies initially denied cover, although the Combined Policy insurer subsequently reversed its position and accepted the late notification.

The end result was that the Claimant had access to £6 million of cover (that being the combined aggregate limit of the Cyber and Combined Policies) whereas, according to the Claimant, there would have been access to an additional £5 million of cover if the PI Policy had been correctly notified during the period of insurance.

The proceedings and judgment

The Claimant duly brought proceedings against the Defendant, seeking damages for professional negligence. The Defendant’s answer was that its breach of duty had not caused any loss because the maximum amount of cover under all three insurance policies was limited to £5 million, that being the combined effect of the “other insurance” clause in each policy. For those unfamiliar with other insurance clauses, they are standard provisions which dictate how multiple policies covering the same risk apply in respect of one another. The outcome in any given cases is highly dependent on the on the type and combination of clauses, but possible permutations include one or more policies operating as excess insurance, only covering a proportion of the loss, or not providing cover at all.
In this case, the Court decided that the three other insurance clauses cancelled one another out, meaning that – but for the Defendant’s breach of duty – the Claimant would have had additional cover under the PI Policy. Accordingly, the practical effect was that the Claimant could recover damages for any settlements in excess of the £6 million that had already been recovered from the Cyber and Combined insurers, up to a combined limit of £11 million.

Key takeaways

The Judge’s analysis of the other insurance clauses will be of most interest to insurance lawyers professionals, particularly those responsible for arranging cyber insurance programmes. However, the following points will also be of interest to data protection and cyber security specialists:

  • Different types of insurance can cover data breach liabilities: while cyber insurance may seem the natural home for data breach liabilities, as this case shows it is also possible for other types of policy to insure this exposure, sometimes as a coverage extension. It should also not be assumed that multiple responsive policies will provide cumulative cover, as this will depend on the exact wording of the other insurance clauses.
  • Data breach liabilities can be significant: this case serves as a reminder – if there was ever a need – that the cost of data breaches can be significant. While the overall bill (over £6 million for around 1,000 complaints) may seem on the high side based on recent authorities, this amount also presumably includes the legal costs associated with agreeing settlements. The sensitivity of the personal data is also not apparent from the judgment.
  • Timely notification: related to the first point, liability policies typically operate on a “claims made” basis, meaning that a claim (or circumstance that may give rise to a claim) must be notified within the policy period to have cover. While it seems that the Combined Policy insurer was prepared to be flexible, the PI Policy insurer evidently was not.

Related capabilities