The single most consequential coverage question after a public data breach is which heads of regulatory and civil exposure can be insured at all. ICO fines reach £17.5m or 4% of global turnover; civil-side data subject claims under Article 82 of UK GDPR are now an established pattern post-Lloyd v Google; PCI fines and assessments from the card schemes can match either; and the public-policy question of which of these can be indemnified at common law remains contested.
This spoke walks through the insurability framework with reference to case law, the cyber policy’s standard formulation, the boundary between defence costs (almost always insurable) and fines (frequently not), and the practical buyer takeaway.
A multi-channel retailer with 1.8m active customer accounts is breached through a compromised admin credential on its e-commerce platform. The attacker exfiltrates a customer database including name, email, postal address, date of birth, phone number, hashed passwords (using outdated MD5), and partial payment card data including primary account numbers and expiry dates. The attacker also gains access to a staff database including National Insurance numbers, payroll information and reference details.
The compromise is undetected for 47 days. Discovery follows the appearance of customer credentials on a known credentials marketplace. Forensic investigation establishes the breach window, the scope of exfiltration, and the technical cause (a misconfigured cloud storage bucket combined with an admin credential that was not enforced for MFA).
The retailer notifies the ICO within 72 hours of confirmed breach. Article 34 notifications to data subjects follow within seven days. The card schemes are notified within the PCI DSS timelines. A representative claim firm announces an intention to bring proceedings on behalf of affected customers under UK GDPR Article 82 within fourteen days; opt-in registration reaches 38,000 customers within four months.
The ICO opens a formal investigation. After eighteen months the ICO issues a Notice of Intent for a monetary penalty of £8.2m, considering the volume of data, the duration of exposure, the inadequacy of technical and organisational measures, and the retailer’s response. The retailer responds and ultimately negotiates the fine down to £4.4m. PCI assessments by the card schemes total £900k.
The civil litigation settles after eighteen months on a global basis with an aggregate fund of £6.2m plus legal fees of £1.8m.
The retailer’s cyber policy has a £15m limit. The question for the broker and the in-house team: how much of the £8.2m → £4.4m fine, the £900k PCI assessment, and the £8m civil settlement is insured?
ICO monetary penalty notices. Issued under section 155 of the Data Protection Act 2018. The maximum penalty under UK GDPR is the higher of £17.5m or 4% of global annual turnover for the most serious infringements (Article 83(5)); £8.75m or 2% for less serious (Article 83(4)). The ICO must consider the criteria in Article 83(2) and DPA 2018 Schedule 16.
Article 82 civil claims. UK GDPR Article 82 provides that “any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” The cause of action is direct; class-action procedure is more limited in the UK than in the US but representative procedures under CPR 19.6 are available.
The Lloyd v Google line. Lloyd v Google LLC [2021] UKSC 50 confirmed that “uniform damages” for “loss of control” of personal data are not available under section 13 of the Data Protection Act 1998. The decision narrowed the route to mass-claim litigation under UK data protection law but did not eliminate it: claims for material damage and proven non-material damage remain available. The opt-in representative action remains the dominant procedural route. Lloyd v Google did not address UK GDPR Article 82 directly; it was decided on the 1998 Act.
The Vidal-Hall line. Vidal-Hall v Google Inc [2015] EWCA Civ 311 established that distress alone could ground a misuse of private information claim. This pre-UK GDPR authority remains relevant for claims framed in misuse of private information rather than (or alongside) data protection.
The Stadler v Currys line. Stadler v Currys Group Ltd [2022] EWHC 160 (QB) and similar first-instance authorities have signalled judicial reluctance to award substantial damages for mere notification of a breach without proven specific harm. Damages of £500–£2,000 per claimant for distress have been seen; the mass-claim economics depend on volume.
PCI DSS framework. PCI DSS is a contractual standard imposed by the card schemes on merchants and acquirers. Non-compliance penalties are contractually levied by the card brands through acquiring banks. They are not regulatory penalties in the strict sense; they are contractual liquidated damages. Insurability is governed by contract law, not regulatory policy.
The English law principle that criminal penalties cannot be insured is settled. The leading authorities:
Askey v Golden Wine Co Ltd [1948] 2 All ER 35. The principle that the law will not enforce an indemnity against the consequences of one’s own criminal act, on grounds of public policy. The deterrent purpose of the penalty would be defeated by indemnity.
Safeway Stores Ltd v Twigger [2010] EWCA Civ 1472. The Court of Appeal extended the principle to competition-law penalties imposed on a corporate body. The penalty is intended to deter the company’s wrongdoing; indemnifying it from a third party (here, allegedly negligent directors and employees) would defeat the deterrent.
The civil/criminal distinction. Twigger distinguishes between criminal penalties (uninsurable) and purely civil regulatory penalties (potentially insurable). The line is not always easy. Hi Hotel HCF SARL v Spoering (the European authority) and the more recent UK authorities recognise that some administrative penalties may be civil in character — purely compensatory or regulatory — and therefore insurable.
ICO monetary penalty notices — civil or criminal in character? This is the unresolved question. The ICO’s penalty notices are issued under a statutory administrative regime, are appealable to the First-tier Tribunal (General Regulatory Chamber), and are not criminal convictions. On the Twigger logic they should be civil in character and insurable. But the deterrent purpose of the penalty is clearly present in the ICO’s statutory framework and the European-law context, which suggests an uninsurable character. No UK court has definitively ruled.
The “to the extent insurable as a matter of law” formulation. Modern cyber policies typically indemnify ICO fines, civil regulatory penalties and similar exposure to the extent insurable as a matter of law. This is the insurer’s hedge: pay if a court would say payment is enforceable; do not pay if it would not. The clause shifts the risk of the insurability question from the insurer to the insured, but in practice insurers usually pay subject to receipt of legal opinion supporting insurability.
Defence costs. Universally insurable. The cyber policy responds to legal costs of defending an ICO investigation, civil litigation, and PCI assessment proceedings. Typical sub-limits: regulatory investigation defence £1m–£5m within the main limit; civil defence within the main limit.
Civil settlements and judgments. Insurable. The £6.2m civil settlement and £1.8m claimant legal costs are paid by the cyber policy subject to the limit and the policy’s third-party liability head. Settlement co-operation clauses require insurer consent to settlement above a threshold; do not settle without insurer agreement.
ICO fine. The £4.4m fine is paid by the cyber policy to the extent insurable. The insurer’s practical position is usually to pay subject to legal opinion confirming insurability under the Twigger framework. For most current UK cyber policies, the answer is “the insurer will pay” — the unresolved doctrinal question is held open and the insured receives the payment.
PCI assessments. Generally insurable as a contractual liability between the merchant and acquirer/card scheme. The £900k assessment is paid by the cyber policy subject to a possible PCI sub-limit (sometimes capped at £1m–£5m within the main limit).
Notification, credit monitoring, PR, forensics. All first-party heads. Insurable. Paid by the cyber policy.
The representative action mechanics. Following Lloyd v Google the opt-in route is dominant. The claimant firm builds a register of opt-in claimants over 6–18 months; the claim is filed once volume reaches commercial viability; settlement typically follows on a global basis within 18–36 months.
Damages quantum. Stadler v Currys and later first-instance decisions have established a working range of £500–£2,000 per claimant for distress damages where proven, with a higher range where specific financial harm is established. The market expectation for a “standard” breach with no specific financial harm is around £750–£1,500 per claimant.
Aggregation. The retailer’s aggregate exposure at £750 per claimant for 38,000 opt-in claimants is £28.5m — well above the cyber limit. Settlement is typically negotiated downward as part of the global settlement and reflects the difficulty of proving distress, the cost of running individual quantum hearings, and the cap of the insurance pot.
The £6.2m settlement plus £1.8m costs in our scenario reflects this dynamic.
PCI DSS (v4.0) imposes a contractual regime on merchants handling card data. The four card brands (Visa, Mastercard, Amex, Discover) impose non-compliance penalties through the acquiring bank.
Assessment categories. - Egress fines: penalties for each month of non-compliance after a deadline. - Account data compromise fines: penalties for breaches involving cardholder data. - Card replacement costs: chargebacks to the merchant for the cost of reissuing cards to affected customers. - Operational expenses fines: charges for additional monitoring and assessment.
Magnitudes. For a breach of 1.8m records including PAN: £200–£500 per affected card account is typical for account data compromise; £5–£15 per replacement card. The £900k assessment in our scenario assumes negotiated settlement.
Insurability. PCI assessments are contractual liabilities, not regulatory fines. Insurable in principle. The cyber policy’s PCI head typically responds, sometimes within an explicit sub-limit.
The PCI/ICO interaction. A retailer breaching PCI DSS faces both PCI assessment and (if the breach involved unlawful processing of card data, e.g. storing CVV in breach of PCI DSS) potential ICO consequences. The two are independent.
The retailer’s outcome:
| Head | Quantum | Policy | Notes |
|---|---|---|---|
| Forensic + legal + IR | £620,000 | Cyber | first-party |
| Notification (1.8m subjects) | £450,000 | Cyber | postal + email + call centre |
| Credit monitoring (24 months) | £1,800,000 | Cyber | offered to all subjects |
| PR + crisis communications | £380,000 | Cyber | brand + customer comms |
| ICO defence | £880,000 | Cyber | 18-month engagement |
| ICO fine (after negotiation) | £4,400,000 | Cyber, “to extent insurable” | insurer paid subject to legal opinion |
| Civil claim settlement | £6,200,000 | Cyber third-party | within third-party limit |
| Civil claim defence + claimant costs | £1,800,000 | Cyber | within the limit |
| PCI assessments | £900,000 | Cyber PCI sub-limit | within sub-limit |
| Card replacement (passed through by acquirer) | £180,000 | Cyber | first-party where insured holds the cost |
| Lost gross profit during incident response | £400,000 | Cyber BI | 30-day disruption to e-commerce |
| Total cyber recovery | £18,010,000 | exceeds £15m limit | gap £3.01m |
| Reputational tail / customer churn (year 1) | £4,500,000 | Uninsured | structural gap |
The limit gap of £3m is the structural lesson: at this scale the £15m cyber limit was inadequate. The reputational/churn tail is the further structural gap that no policy reaches.
Where the cyber policy includes the to the extent insurable hedge on ICO fines:
The standard practice is for the insurer to instruct an opinion from a senior barrister or specialist firm. The opinion addresses whether, on the facts of the case, the ICO fine is in substance a deterrent penalty (uninsurable) or a regulatory/compensatory measure (insurable). The opinion is usually carefully drafted to allow payment subject to the qualification that the position is unresolved at appellate level.
The insurer then pays. The insured receives the indemnity. The doctrinal question remains open until a court is asked to enforce an indemnity payment against the cyber insurer in adversarial circumstances — which has not yet happened.
The risk for the insured: a future case in which the cyber insurer declines to pay an ICO fine and the court rules the fine uninsurable. The protection: keep the to the extent insurable language as wide as possible, and document the insurer’s pre-incident position on insurability where possible.
For commercial buyers with significant personal data processing:
Confirm the cyber policy’s to the extent insurable as a matter of law formulation and the insurer’s pre-incident position on payment of ICO fines. Some insurers will write to confirm intent to pay; others will not.
Match cyber limits to credible aggregate exposure including ICO fines + civil claims + PCI + first-party costs. For a retailer with >1m customer accounts the £5m and £10m limits routinely seen are inadequate; £15m–£50m is the realistic working range.
Ensure PCI sub-limits are adequate for the merchant level. PCI assessments routinely run to £1m+ for mid-market retailers; a £500k sub-limit is inadequate.
Document personal data inventory. The ICO investigation defence is materially faster, cheaper and more successful when the inventory exists at breach point.
Match civil defence cover to expected representative action defence cost. £1m–£5m of defence-only cover (within or in addition to the limit) is typical for a major breach.
Pre-engage external counsel on the Twigger insurability question for ICO fines specifically. The opinion can be commissioned in advance, then refined at incident.
Audit your card data flows for PCI DSS compliance gaps. The egress fines for sustained non-compliance after a breach can dwarf the breach itself.
Q1. Is the ICO fine actually insurable? The question is unresolved at appellate level. Most cyber policies will pay subject to the to the extent insurable qualification and legal opinion. Recent industry practice has been broadly to pay rather than litigate.
Q2. Can the ICO fine my employees individually? Article 83 fines are typically on the controller (the company). Senior managers can face separate enforcement under DPA 2018 sections 196–198 (criminal offences for unlawful obtaining of data, etc.) — those are criminal and uninsurable.
Q3. Does cyber cover defence of a director facing personal regulatory action? The cyber policy covers the corporate insured’s defence. Directors’ personal defence is more typically handled by the D&O policy with a regulatory investigation extension. The two policies co-ordinate.
Q4. What’s a typical ICO fine for a 1m+ record breach? The published register shows substantial variation. Recent precedent suggests £1m–£20m depending on volume, sensitivity, controls and response. The 2018 BA fine (£20m post-negotiation from £183m intent) and the 2020 Marriott fine (£18.4m post-negotiation from £99m intent) are the high-water marks.
Q5. Are settlements under representative actions paid by cyber or by D&O? Cyber. The claim is against the corporate; the cyber third-party liability head responds.
Q6. What about damages under misuse of private information? Cyber typically responds. The Vidal-Hall tort claim is within the broad civil liability head.
Q7. What if the breach was caused by an employee’s deliberate act? Employee dishonesty is typically excluded from cyber but covered by crime. The corporate’s vicarious liability to data subjects is still cyber territory.
Q8. How does the cyber policy handle the ICO’s appeal process? Defence costs respond throughout. The First-tier Tribunal appeal route is within scope; the Upper Tribunal and Court of Appeal route also.
Q9. Are PCI fines paid by cyber or by crime? Cyber. Crime typically does not cover PCI assessments; the cyber PCI head is the home.
Q10. What if I’m a processor not a controller? Article 82 imposes liability on both controllers and processors. Cyber typically responds to either characterisation. Documentation of the controller/processor split helps with apportionment.
UK GDPR Articles 82 and 83. Data Protection Act 2018, especially sections 155, 196–198, and Schedule 16. Lloyd v Google LLC [2021] UKSC 50. Vidal-Hall v Google Inc [2015] EWCA Civ 311. Stadler v Currys Group Ltd [2022] EWHC 160 (QB). Safeway Stores Ltd v Twigger [2010] EWCA Civ 1472. Askey v Golden Wine Co Ltd [1948] 2 All ER 35. ICO Regulatory Action Policy and Penalty Notices Register. PCI DSS v4.0 — the Payment Card Industry Data Security Standard. British Airways ICO fine (October 2020). Marriott International ICO fine (October 2020). Insurance Act 2015.
Hub: Cyber Insurance for UK Commercial Businesses Spoke 1: Ransomware claim handling Spoke 6: Cyber for retailers Spoke 8: Cyber for education
Disclaimer: Insurance and legal commentary, not advice on your specific cover. Cyber wordings vary materially across insurers — always read your specific policy or ask your broker. Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority, FRN 724952.
Apex Insurance Brokers serves UK professional services firms and commercial businesses. Call 0117 325 0027, email hello@apexinsurancebrokers.co.uk, or request a quotation.
Get a quote