How civil claims by data subjects are funded, what Lloyd v Google changed, where Vidal-Hall still bites, and the boundary between ICO regulatory action and individual civil action — under cyber and PI policy wordings.
A mid-tier accountancy firm in Leeds suffers a breach. A bookkeeper’s laptop is stolen from a car. The laptop contains a working copy of 14 client files including payroll data for around 4,800 employees. The laptop is encrypted but the encryption certificate has expired and disk-level encryption has reverted to a default password. Forensic examination concludes the data was accessible.
The firm notifies the ICO under Article 33. The ICO opens an investigation. Affected employees are notified under Article 34. A claimant law firm sees the press coverage and begins assembling a group action under section 47 of the Data Protection Act 2018 and Article 82 UK GDPR.
The ICO investigation is one stream. The civil claim is another. The accountancy firm asks: which policy responds to which, and to what extent?
Article 82 UK GDPR. The right to compensation under Article 82(1) is broad: any person who has suffered material or non-material damage as a result of an infringement of the regulation has the right to receive compensation from the controller or processor. Material damage is pecuniary; non-material damage covers distress.
The Lloyd v Google judgment. The Supreme Court in Lloyd v Google LLC [2021] UKSC 50 considered representative proceedings under CPR 19.6 for breach of section 4(4) of the Data Protection Act 1998 (the predecessor regime). The court held that “loss of control” of personal data, without proof of material damage or distress, was not actionable as a head of damage. The decision shut down the most ambitious representative actions on a class-action-by-default basis but did not eliminate individual claims.
The position under UK GDPR. Article 82 applies directly. The threshold for non-material damage remains contested. Lloyd was decided under the DPA 1998 regime and is not directly binding on UK GDPR claims, though the underlying reasoning about the need for actual damage is influential. Lower court decisions including Stadler v Currys Group Ltd [2022] EWHC 160 (QB) have emphasised that de minimis distress is not sufficient.
The Vidal-Hall line. Vidal-Hall and others v Google Inc [2015] EWCA Civ 311 confirmed that misuse of private information is a tort and that distress damages are available without proof of pecuniary loss. The tort survives alongside the statutory regime and provides a parallel route for claimants in classic privacy-breach fact patterns.
Group actions. Section 47 DPA 2018 enables “representative” actions for data protection claims. After Lloyd, the opt-in group litigation order (GLO) remains the principal vehicle. Recent group actions include claims against retailers, banks, healthcare providers and government bodies.
Regulatory action vs civil action — the distinction. The ICO’s regulatory action under sections 149–157 DPA 2018 is administrative and punitive; it does not compensate data subjects. The civil action under Article 82 is compensatory and pursued by the data subjects themselves. The two run in parallel. A finding of breach by the ICO is evidence in the civil action but not conclusive. A finding of compliance by the ICO is not a defence to the civil action.
The market for non-material damages in UK data breach claims is still consolidating. A rough range:
Aggregation matters. For 4,800 employees a per-claimant figure of £1,500 implies £7.2m total quantum. Take-up rates for group actions vary widely (5%–30% is the rough band, depending on outreach by claimant firms). Realistic exposure may therefore be £400k–£3m for the civil claim alone.
The accountancy firm’s cyber policy has a £5m limit.
Third-party liability for data subject claims. This is the primary cover for the Article 82 claims. Most cyber policies expressly include “liability arising from a data breach” within the third-party head. Defence and indemnity are covered.
Aggregation. The cyber policy aggregates the claims under a single security event — the laptop theft and resulting breach is one event. The £5m limit applies to the aggregate of all claimants’ damages plus defence costs (unless costs are outside the limit).
ICO investigation defence. Cyber pays the defence of the regulatory investigation.
ICO fine. The cyber policy responds to the extent insurable as a matter of law. The insurability question remains contested for UK GDPR fines.
Notification costs. Cyber pays the cost of notifying the 4,800 affected individuals.
The firm’s PI policy is an accountancy form with a £10m limit and a cyber events exclusion in LMA5402 form.
Civil liability arising from the conduct of practice. The Article 82 claim by employees of clients could be framed as flowing from the firm’s professional conduct of those clients’ accountancy services. The civil liability head of PI would respond — but the cyber exclusion arguably bites because the breach was a cyber event (laptop theft with data accessibility).
This is the recurring tension. Where PI carves back for “claims arising from the supply of professional services where the cyber event is incidental to the alleged breach of professional duty”, the carve-back may apply. The question is whether the underlying breach is professional (failure to maintain proper data security as part of professional practice) or cyber (a cyber event triggering data loss).
The market is moving towards a clearer allocation: cyber as primary for data breaches, PI as secondary or excluded. For SRA-regulated solicitors the MTC override pulls these claims back into PI; for non-regulated professions the cyber exclusion in PI is increasingly hard.
ICO investigation. PI generally does not respond to regulatory investigations.
The ICO investigation is on a separate track. The cyber policy funds the defence; the firm’s legal team coordinates the response. The investigation outcome is usually one of:
A no-action determination with private feedback. Cost: defence only (£100k–£250k).
A reprimand with no monetary penalty. Cost: defence only, plus reputational impact.
An enforcement notice requiring specific remedial action. Cost: defence plus implementation.
A monetary penalty notice. Cost: defence plus the fine (subject to insurability).
The civil claim is independent. Even a no-action ICO determination does not extinguish the civil claim. Conversely, a substantial ICO fine does not automatically swell the civil claim quantum, though it provides evidential traction for claimants.
A plausible aggregate:
| Head | Quantum | Policy |
|---|---|---|
| ICO investigation defence | £200,000 | Cyber |
| ICO monetary penalty (assumed £450k) | £450,000 | Cyber (subject to insurability) |
| Notification of 4,800 individuals | £45,000 | Cyber |
| Forensic and incident response | £160,000 | Cyber |
| Civil claim — 750 claimants × £1,500 avg | £1,125,000 | Cyber (with PI possibly engaged subject to exclusion) |
| Civil defence costs | £380,000 | Cyber |
| Claimant solicitors’ costs | £620,000 | Cyber (allocated) |
| Firm’s own internal cost and lost productivity | £180,000 | Uninsured |
| Reputational and client churn (year 1 lost revenue) | £400,000 | Uninsured |
| Total | £3,560,000 | mixed |
The cyber policy bears the bulk of the loss. The uninsured tail (reputational, productivity, fine if uninsurable) sits with the firm.
The ICO and the civil claim are independent. Don’t assume an ICO investigation closes the matter.
Lloyd v Google didn’t kill data class actions; it raised the bar. Group actions continue, including against high-profile firms.
Claimant firms increasingly fund these claims on conditional fee arrangements. The risk is uncapped by claimant solvency.
Cyber policy limits aggregate the data subject claims under a single event. The £5m limit looks comfortable until you stress-test against a 30% take-up rate at £3,000 per claimant.
PI exclusions for cyber events are increasingly tight. Read the wording at every renewal.
Document, in writing, with your cyber underwriter, the position on insurability of UK GDPR civil-side fines.
Match cyber limits to your data subject exposure — not your turnover. For firms holding payroll, health, immigration or financial data for thousands of individuals, £5m may be inadequate.
Match cyber retroactive cover to your PI retroactive cover. Civil claims under Article 82 can be brought within six years; the cyber policy responding must extend that far back.
Review the cyber exclusion language in your PI policy and the carve-back. Negotiate the carve-back at renewal.
Have a documented data minimisation policy and a documented retention policy. The ICO will ask. The civil court will ask.
Run quarterly tabletop scenarios on data breaches. The firms that respond well in real incidents are those that have rehearsed.
Maintain a current data flow map. Knowing where data sits is the precondition for knowing what was lost.
Brief staff annually on breach reporting. The 72-hour ICO clock starts on awareness; awareness can be a junior employee’s awareness, not the partner’s.
Q1. Does the ICO finding bind the civil court? No. It is admissible evidence but the civil court decides liability and quantum on its own.
Q2. Can data subjects sue for breach of the right to be informed? Possibly — Article 12-14 obligations are substantive. Whether the breach of those obligations causes compensable damage depends on the facts. Lloyd’s reasoning constrains a no-damage claim.
Q3. What’s a typical take-up rate for a UK group action? Highly variable. 5–10% is common for breaches with low individual impact; 20–30% for high-profile breaches with active claimant outreach.
Q4. Do the Vidal-Hall misuse of private information damages aggregate with the Article 82 damages? The same claimant cannot recover twice for the same loss. The causes of action can be pleaded in the alternative.
Q5. Are claimant solicitors’ costs covered by cyber? Yes, as part of the indemnity where the firm settles or is held liable. The mechanics depend on whether costs are inside or outside the limit; varies by policy.
Q6. Can the firm be sued by employees of its clients (not its direct clients)? Yes, where the firm was the controller or processor of those individuals’ data and the breach affected them. Article 82 gives the right to the data subject whether or not they have a contractual relationship with the controller.
Q7. What’s the limitation period? Six years for breach of statutory duty in England and Wales; six years for misuse of private information; six years for breach of confidence. Defamation has a one-year limitation but is rarely the relevant claim.
Q8. Does the firm’s contract with the client allocate the breach risk? Usually yes — typical engagement letters allocate data protection responsibility between client (controller) and firm (processor or joint controller depending on the service). The contract allocates as between firm and client but does not bind the data subject.
UK GDPR, Articles 33, 34, 82. Data Protection Act 2018, sections 149-157, 167. Lloyd v Google LLC [2021] UKSC 50. Vidal-Hall and others v Google Inc [2015] EWCA Civ 311. Stadler v Currys Group Ltd [2022] EWHC 160 (QB). Campbell v MGN Ltd [2004] UKHL 22. ICO Regulatory Action Policy. Civil Procedure Rules 19.6 (representative actions).
Hub: Cyber vs PI — where cover ends and begins Spoke 1: Solicitor data breach claim Spoke 6: The notification clock problem Spoke 8: Reputational damage post-breach
Disclaimer: Insurance and legal commentary, not advice on your specific cover. Cyber and PI policy wordings vary materially across insurers — always read your specific policy or ask your broker. Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority, FRN 724952.
Apex Insurance Brokers serves UK professional services firms and commercial businesses. Call 0117 325 0027, email hello@apexinsurancebrokers.co.uk, or request a quotation.
Get a quote