A worked example, the legal framework, the coverage analysis under each policy, the gap, the practical takeaway, and an FAQ.
A 38-partner litigation firm in the City has been instructed in a high-profile employment matter. The matter involves a senior executive of a listed company and includes personal data of a sensitive nature: medical history, family circumstances, communications regarding alleged misconduct of others within the company. The case bundle reaches 14GB. It is stored on the firm’s document management system with access restricted to the matter team.
A junior associate is targeted by a credential-harvesting phishing campaign. The associate enters their email password into a convincing facsimile login page. The attacker uses the credentials to authenticate to the firm’s Microsoft 365 tenant. Multi-factor authentication is configured but the attacker bypasses it by adding a new authenticator app device during a session in which the legitimate associate’s session token is captured.
Over four weeks the attacker silently exports email and OneDrive content, including a substantial portion of the case bundle, before the firm’s security operations centre notices anomalous data egress patterns. The attacker publishes a sample on a dark-web leak site to demonstrate seriousness and demands a ransom of $1.4m in Bitcoin.
The firm engages its cyber incident response panel within 90 minutes of discovery. Forensic analysis confirms exfiltration of approximately 4GB of matter data including the personal data of 312 individuals — the executive, family members, witnesses, and unrelated parties whose names appear in disclosure. The ICO is notified within the UK GDPR Article 33 72-hour window. The 312 data subjects must be notified under Article 34 because the breach is likely to result in a high risk to their rights and freedoms. The story is leaked and runs in the broadsheets.
The data subjects, mostly through coordinated action, bring civil claims for misuse of private information, breach of confidence, and statutory damages under UK GDPR Article 82. The ICO opens a formal investigation. The Solicitors Regulation Authority opens its own investigation into the firm’s information security practices and the supervision of the junior associate.
Which of the firm’s policies respond, and to which heads of loss?
The firm faces exposure on at least five separate fronts arising from the same factual incident.
UK GDPR Article 82. Article 82(1) provides that any person who has suffered material or non-material damage as a result of an infringement of the regulation has the right to receive compensation from the controller or processor. Material damage is straightforwardly pecuniary; non-material damage covers distress. The threshold for recovery of non-material damage was raised significantly in the United Kingdom by the Supreme Court’s decision in Lloyd v Google LLC [2021] UKSC 50, which held that “loss of control” of personal data is not itself a head of damage actionable under section 13 of the Data Protection Act 1998 (the predecessor regime), absent proof of material damage or distress. The current regime under UK GDPR Article 82 applies directly and the loss-of-control concept is still being worked out in lower court decisions. In any event, where actual distress flowing from the exposure of sensitive personal data is provable — and in this scenario it plainly is for many of the 312 data subjects — damages are recoverable.
Misuse of private information. The tortious cause of action recognised in Vidal-Hall and others v Google Inc [2015] EWCA Civ 311, and earlier in Campbell v Mirror Group Newspapers [2004] UKHL 22, provides for damages for distress where private information has been misused. For the executive whose medical history was exposed this is a strong cause of action.
Breach of confidence. The equitable cause of action remains relevant where information was supplied in circumstances importing an obligation of confidence — that is, the entire body of solicitor-client material.
The Information Commissioner’s regulatory action. Under section 155 of the Data Protection Act 2018 the ICO may impose a monetary penalty of up to the higher of £17.5m or 4% of global annual turnover for an infringement of the regulation. The firm’s group turnover is around £180m, putting the theoretical ceiling around £7.2m. Recent enforcement decisions suggest the realistic penalty for a law-firm breach of this character is likely to be in the £600k–£2m bracket, depending on aggravating factors.
The SRA investigation. Under SRA Code of Conduct paragraph 8.1, a solicitor must keep the affairs of current and former clients confidential unless disclosure is required or permitted. Section 4.2 imposes risk management and supervision obligations. The SRA may impose financial sanctions and may direct supervision orders, and in the extreme can intervene in the firm.
The firm’s cyber policy is a comprehensive cyber and privacy form with a £10m primary limit and a £15m excess layer.
Incident response costs. The cyber policy’s first-party heads pay the panel forensic firm (around £140k for this incident), the panel law firm coordinating the ICO and data subject notifications (£85k), the breach notification operational costs to 312 individuals (£32k including a credit-monitoring offer of £18 per head for two years), and the PR firm engaged once the press began calling (£60k). Cyber pays.
Ransom. The cyber policy will entertain a ransom payment subject to OFAC and OFSI screening. In this scenario the firm and the panel adviser conclude that paying the ransom would not stop publication (the attacker has already published the sample, and the dark-web group’s published track record is not to honour ransoms paid late). The firm declines to pay. Cyber would have paid if instructed; in the event nothing flows under this head.
ICO investigation defence costs. The cyber policy’s regulatory investigation head responds to the costs of defending the ICO investigation. The expected legal cost of running the regulatory process to conclusion is £250k–£400k. Cyber pays.
ICO fine. Where the wording is “to the extent insurable as a matter of law”, the cyber policy may indemnify the civil-side monetary penalty notice if and when it is imposed. The insurability question is contested. The cyber underwriter will reserve on this point.
Civil claims liability. The third-party liability head of the cyber policy responds to damages payable to the 312 data subjects. The market expectation for this kind of claim, based on settled cases for sensitive-category breaches, is in the £500–£3,000 per head bracket. For 312 claimants that is a range of £156k–£936k in damages, plus the claimants’ legal costs. Cyber pays.
Defence of the civil claims. Defence costs in respect of the civil claims are typically covered under the same third-party head as the indemnity. Cyber pays.
The firm’s PI policy is an SRA Minimum Terms compliant policy with a £20m limit (£3m primary, £17m excess) written by a syndicate panel. The Minimum Terms drive a wide form of civil liability cover.
Civil claims by data subjects who were clients of the firm. The executive, the spouse and the immediate family were all clients in the matter. Their claim against the firm for breach of confidence and breach of professional duty is squarely within the PI definition. The civil liability head responds. PI pays.
Civil claims by data subjects who were not clients of the firm. This is where the analysis becomes interesting. Of the 312 affected individuals, 247 were not clients of the firm. They are third parties whose personal data appeared in the case file by virtue of being witnesses, opposing parties, or named third parties in disclosure. The duty owed to them was a duty of confidence under the wider obligations attaching to a solicitor in conduct of litigation, and a statutory duty as controller of personal data under UK GDPR. PI cover is civil liability arising out of the conduct of the practice under the SRA MTC. The non-client claims are arising out of the conduct of the practice. PI is engaged.
Defence of the SRA investigation. PI policies for solicitors typically include defence cost cover for regulatory proceedings of the SRA — usually under a separately captioned regulatory defence head. PI pays.
ICO fine and ICO investigation. PI traditionally does not respond to ICO investigation costs (an ICO investigation is not a “claim” in the ordinary PI sense). PI is silent. Cyber is the home.
The civil claims by data subjects sit in both policies. The cyber policy’s third-party liability head and the PI policy’s civil liability head are both engaged. Without coordination the firm pays two excesses (cyber £100k, PI £250k) and risks the two insurers pointing at each other.
The “other insurance” clause in each wording is the starting point. Cyber wordings often say cover is excess of any other valid and collectible insurance unless the cyber policy is the primary specified. PI wordings often say the same about the cyber policy. The result is a deadlock that can only be resolved by brokered coordination.
In this scenario the firm’s broker (this is exactly what Apex would expect to do for a similar client) negotiated a primary primary, other excess approach: PI is primary for civil claims, cyber is primary for incident response and regulatory defence, and excesses do not double-up. This was documented in a coverage co-ordination memorandum signed by both insurers before the first defence step. The cost of getting this right is essentially a phone call; the cost of getting it wrong can be six figures.
Take a single illustration of the indemnity flow.
| Head of loss | Quantum | Policy responding | Excess |
|---|---|---|---|
| Forensic investigation | £140,000 | Cyber | £100k cyber |
| Legal coordination | £85,000 | Cyber | within excess |
| Data subject notification | £32,000 | Cyber | within excess |
| PR | £60,000 | Cyber | within excess |
| ICO defence costs (estimated) | £350,000 | Cyber | within excess |
| ICO monetary penalty (assumed) | £1,200,000 | Cyber (subject to insurability) | within excess |
| SRA defence costs | £180,000 | PI | £250k PI |
| Civil damages — clients (65 × avg £1,800) | £117,000 | PI | within excess |
| Civil damages — non-clients (247 × avg £1,200) | £296,400 | PI | within excess |
| Claimants’ costs | £420,000 | PI (allocated) | within excess |
| Total quantum | £2,880,400 | mixed | £350k aggregate |
The firm’s net out-of-pocket is the two excesses (£350k assuming no coordination of excesses) plus any uninsured tail (notably any uninsurable portion of the ICO penalty, plus any business-interruption loss to the firm’s billable hour productivity during the three-week response window, which is not picked up by either policy in this scenario because cyber BI is typically triggered by system unavailability, not by data exfiltration).
The gap in this scenario is more about reputation than coverage. The firm loses two major institutional clients in the following twelve months who cite the breach as the reason. The lost gross profit on those instructions is around £1.8m. Neither policy pays.
There is also a partner-level emotional and managerial cost (lost partner time on the response, lost time generally) which is not insured.
For any law firm holding sensitive client data:
Match retroactive dates between cyber and PI. The civil claims may be brought up to six years after the breach.
Negotiate the cyber crime / social engineering sub-limit upwards. While not the central head in this scenario, the same email compromise that enabled the data theft could equally have enabled a fraudulent wire instruction.
Document the ICO insurability position with your cyber underwriter in writing before the renewal. Don’t discover at the worst possible moment that the underwriter’s view of insurability differs from yours.
Ensure your SRA Minimum Terms PI policy expressly includes regulatory defence for ICO matters or carve-back the cyber treatment so that the cyber policy picks them up.
Consider a separate D&O extension to deal with shareholder or partner-level claims arising from public breaches.
Run a tabletop exercise. The firm in our scenario performed materially better than industry average because they had walked through the scenario nine months earlier.
Q1. Can the same data subject claim against both the cyber and PI policies? A claimant claims against the firm, not against the policies. The firm tenders the claim to both. Coordination between insurers ensures the claim is paid only once.
Q2. What if the ICO finds no fault in the firm? The investigation defence costs are still incurred and indemnifiable under cyber. No fine is imposed. Civil claims may still proceed independently — a finding of compliance is helpful but not determinative.
Q3. Does the SRA Minimum Terms cyber treatment differ from the wider market? Yes. SRA MTC requires PI to cover civil liability arising out of practice; this is wider than many non-regulated professions and pulls cyber-rooted claims into PI more comfortably. The SRA published a clarification in 2023 confirming that cyber-related civil claims fall within the MTC.
Q4. Are settlements with data subjects covered? Yes, under both the cyber third-party head and the PI civil liability head, subject to insurer consent.
Q5. Will paying the ransom have helped? On the evidence in this scenario, no. The data was already published. Ransom payment to known affiliates of sanctioned threat groups also creates regulatory and reputational exposure.
Q6. What if the junior associate had also taken some of the data with malicious intent? That brings dishonesty exclusion considerations into the PI policy (innocent-partner cover applies under SRA MTC for the firm); the cyber policy’s malicious insider coverage may also apply if it has been negotiated.
Q7. How long will the regulatory process take? ICO formal investigations typically run 12–24 months from notification to monetary penalty notice. SRA investigations can run 12–36 months. Civil claims tend to follow the regulatory finding.
Q8. What happens at the next PI renewal? The incident is materially disclosable under section 3 of the Insurance Act 2015. Premium increases of 30–80% are typical post-incident. See spoke 10.
UK GDPR Articles 33, 34, 82. Data Protection Act 2018, section 155. Lloyd v Google LLC [2021] UKSC 50. Vidal-Hall and others v Google Inc [2015] EWCA Civ 311. Campbell v MGN Ltd [2004] UKHL 22. SRA Standards and Regulations: Code of Conduct for Firms and Code of Conduct for Solicitors. SRA Minimum Terms and Conditions. Insurance Act 2015, section 3. ICO Enforcement Action register.
Hub: Cyber vs PI — where cover ends and begins Spoke 5: Data Protection Act 2018 / UK GDPR — civil claim coverage Spoke 6: The notification clock problem Spoke 10: Broker due diligence at PI renewal
Disclaimer: Insurance and legal commentary, not advice on your specific cover. Cyber and PI policy wordings vary materially across insurers — always read your specific policy or ask your broker. Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority, FRN 724952.
Apex Insurance Brokers serves UK professional services firms and commercial businesses. Call 0117 325 0027, email hello@apexinsurancebrokers.co.uk, or request a quotation.
Get a quote