Breach of confidentiality

Breach of confidentiality cover is a professional indemnity extension that indemnifies the insured against legal liability and defence costs arising from the unauthorised disclosure, use or misuse of confidential information acquired in the conduct of the professional business, including liability under the common law duty of confidence and certain liabilities under data protection legislation.

Definition §

Breach of confidentiality cover is an extension to a professional indemnity insurance policy that responds where the insured incurs legal liability for the unauthorised disclosure or misuse of confidential information obtained in the course of the professional business ^[1]. The extension typically covers two broad categories of liability: liability at common law for breach of confidence; and certain civil liabilities arising under data protection legislation.

The common law duty of confidence arises where information is communicated in circumstances importing an obligation of confidence, such that the recipient cannot in good conscience use or disclose the information without authority. The classic three-element formulation is: information of a confidential character; circumstances importing an obligation of confidence; and unauthorised use or disclosure to the detriment of the party communicating it. Professional advisers — solicitors, accountants, brokers, financial advisers, consultants — receive information in such circumstances on a routine basis and are subject to the duty in respect of client and third-party information.

Data protection liability is governed by the Data Protection Act 2018 and the UK GDPR ^[2][3]. A person who has suffered material or non-material damage as a result of an infringement of the UK GDPR may claim compensation under Article 82 of the UK GDPR and section 168 of the DPA 2018. Liability of this kind is normally within scope of a breach of confidentiality extension, although wordings differ.

The extension may sit alongside, or be partly displaced by, a stand-alone cyber insurance policy. Coordination of the two covers, particularly in respect of personal data breaches arising from a cyber event, requires careful review of the 'other insurance' provisions.

Legal / Regulatory basis §

The common law duty of confidence has a long history in English equity, with the leading modern statement found in Coco v AN Clark (Engineers) Ltd [1969] RPC 41 (though more recent authorities have refined the test). The duty is owed by solicitors, accountants, brokers and other professionals to their clients, by employees to their employers, and by recipients of information generally where the circumstances import an obligation of confidence. Remedies for breach include injunctive relief, damages, an account of profits and, in cases involving private information, awards for distress and loss of autonomy.

The Data Protection Act 2018 and the UK GDPR provide a parallel statutory regime governing the processing of personal data. A controller or processor is liable to a data subject for material or non-material damage caused by infringement of the UK GDPR, including unauthorised disclosure of personal data ^[2][3]. The Information Commissioner has separate enforcement powers, including the power to impose administrative fines of up to the higher of £17.5m or 4 per cent of worldwide annual turnover.

For solicitors, the SRA Code of Conduct imposes specific duties of confidentiality to clients and former clients, with limited exceptions for disclosure required by law or with consent ^[4]. Equivalent professional rules apply to RICS members ^[5], ICAEW members ^[6], and ARB-registered architects ^[7]. BIBA members are subject to comparable confidentiality obligations ^[8].

For insurance intermediaries the FCA's regulatory framework, including PRIN and SYSC, requires the maintenance of appropriate systems to protect customer information; failure to do so can give rise to FCA enforcement action separate from any civil liability.

Liabilities for fines and penalties under the data protection regime are normally excluded from PI cover, as are liabilities for criminal sanctions, on standard public-policy grounds.

How it works in practice §

A breach of confidentiality claim under a PI policy typically begins with either a complaint from the affected client or data subject, or with the discovery of the unauthorised disclosure by the insured itself. Where personal data is involved, the insured will also have an immediate obligation to consider notification to the ICO within 72 hours where appropriate ^[3].

The insurer's response will normally include the appointment of specialist legal counsel to address: (i) the immediate containment of the disclosure (recall of misdirected documents, takedown of online publication, etc.); (ii) notification obligations under the data protection regime; (iii) the substantive defence of the underlying claim by the affected party; and (iv) regulatory liaison with the ICO or, in solicitor cases, the SRA.

Substantive defence strategies vary. For common law breach of confidence, defences may include consent, public interest disclosure, lack of confidentiality in the information (because it has entered the public domain) or absence of detriment. For UK GDPR Article 82 claims, the controller or processor can defend on the basis that it is 'not in any way responsible for the event giving rise to the damage' ^[3].

Recoverable damages in confidentiality claims have evolved significantly. Pure financial loss is recoverable in principle; in personal data cases, modest damages for distress and loss of control of data have been awarded, although the level remains contested. Class actions and representative actions in data protection have attracted considerable judicial attention, with the Supreme Court's decision in Lloyd v Google LLC [2021] UKSC 50 limiting certain representative action strategies though not eliminating individual claims.

The cover typically responds to defence costs and to any damages or settlement payable to the affected party, subject to the sub-limit. Notification costs, credit monitoring services for affected data subjects and forensic IT costs may be covered under either the PI extension or a stand-alone cyber policy, depending on the wording. The interaction with the dishonesty exclusion is important: deliberate disclosure by a rogue employee is normally excluded as against the employee but may be covered as against the firm in defined circumstances.

Common variations §

Common law breach of confidence only. The narrowest formulation, covering equitable confidence claims but excluding data protection liability. Increasingly uncommon as the data protection regime has become the principal driver of confidentiality litigation.

Common law and statutory data protection. The market standard, covering both common law and UK GDPR / DPA 2018 civil liability claims, but excluding administrative fines.

Notification cost extension. An additional extension covering the costs of notifying affected data subjects, ICO and other regulators, and the reasonable cost of credit monitoring services. Some policies sub-limit this within the breach of confidentiality cover; others place it in a separate notification cost section.

Cyber-excluded breach of confidentiality. A wording that responds to traditional misdirection and disclosure but excludes confidentiality breaches arising from a cyber incident, pushing those losses to a stand-alone cyber policy.

Defence costs only. A few legacy wordings respond only to defence costs in confidentiality matters, leaving the insured exposed to settlement payments. Generally inadequate for modern professional practice.

Liability of officers and employees. Some wordings extend cover to employees of the insured in respect of allegations made against them personally. Important where individuals are named in claims alongside the firm.

Example §

An illustrative example: a firm of management consultants is engaged on a strategic review for a manufacturing client. A draft report containing commercially sensitive cost and pricing data is emailed in error to a competitor with a similar email address. The competitor discloses the receipt to the client, who threatens proceedings for breach of confidence. Some of the data also constitutes personal data of named senior managers, triggering UK GDPR notification considerations.

Under a breach of confidentiality extension subject to a sub-limit of £2m (illustrative only), the insurer instructs specialist counsel to: (i) seek undertakings from the competitor as to non-use and destruction of the data; (ii) advise on notification to the ICO and to affected data subjects; (iii) negotiate with the client on the underlying claim. The matter settles for £150,000 plus £85,000 defence costs, with the competitor providing destruction undertakings and the ICO closing its file without enforcement action after an initial review.

See also §

• /wiki/professional-indemnity-insurance/ — parent contract
• /wiki/civil-liability/ — broader trigger
• /wiki/defamation-cover/ — companion extension
• /wiki/ip-infringement-cover/ — related extension
• /wiki/loss-of-documents/ — related extension
• /wiki/dishonesty-exclusion/ — interaction with intent
• /wiki/fair-presentation-of-the-risk/ — disclosure of prior incidents
• /wiki/insurance-act-2015/ — governing statute

References §

1. ↑ Standard market wordings; SRA Minimum Terms and Conditions of Professional Indemnity Insurance — https://www.sra.org.uk
2. ↑ Data Protection Act 2018 — https://www.legislation.gov.uk/ukpga/2018/12
3. ↑ UK GDPR (retained Regulation (EU) 2016/679) — https://www.legislation.gov.uk/eur/2016/679/contents
4. ↑ SRA Indemnity Insurance Rules — https://www.sra.org.uk
5. ↑ RICS Rules of Conduct (2022) — https://www.rics.org
6. ↑ ICAEW Code of Ethics — https://www.icaew.com
7. ↑ ARB Code of Conduct — https://www.arb.org.uk
8. ↑ BIBA Member Code of Conduct — https://www.biba.org.uk