A professional firm that loses control of personal data faces liability on two fronts. The first is regulatory: the UK General Data Protection Regulation and the Data Protection Act 2018 give the Information Commissioner's Office power to investigate and to impose monetary penalties of up to 17.5 million pounds or 4 per cent of annual worldwide turnover, whichever is higher, for the most serious infringements. The second is civil: data subjects can claim compensation under Article 82 UK GDPR for material and non-material damage, including distress.
The scope of civil liability has been shaped by two Supreme Court decisions. In Various Claimants v Wm Morrisons Supermarkets plc [2020] UKSC 12 the court held that an employer was not vicariously liable for a rogue employee who deliberately leaked payroll data, because the employee was on a "frolic of his own" rather than acting in the course of employment. In Lloyd v Google LLC [2021] UKSC 50 the court held that damages are not available for a mere loss of control of data without proof of material damage or distress, which curtailed representative "opt-out" data claims.
These decisions matter to solicitors and accountants because they set the boundaries of the civil exposure a policy is being asked to cover. They do not remove the regulatory exposure, which runs regardless of whether any individual can prove loss.
A data breach caused by the firm's own security failure is the natural territory of a cyber policy: incident response, notification costs, credit monitoring, defence of ICO action and civil claims. A data breach that is really a professional failure - a solicitor emailing privileged material to the wrong party, an accountant mis-sending a client's tax data - may engage the PI policy instead, because the root cause is negligent conduct of the profession rather than a technical compromise.
The question insurers ask is what caused the loss, not what the loss looks like. A phishing intrusion is a cyber event. A careless disclosure is a professional act. Where the two combine - a negligent configuration that leads to a breach - the allocation turns on the exclusions in each wording. Apex reviews both policies so a firm knows, before an incident, which insurer it would be turning to.
Firms often focus on the headline penalty, but the regulatory fine is frequently the smaller part of a data-breach loss. The larger costs are the forensic investigation, the legal advice on notification, the communications to affected individuals, the credit-monitoring or identity-protection offered to them, and the management time consumed for months afterwards. For a small professional practice these first-party costs can dwarf any civil award, and none of them is answered by a professional indemnity policy.
That is why a firm holding client data should not treat PI as sufficient protection against a breach. The PI policy answers the third-party negligence claim; the first-party cost of managing the breach belongs to a cyber policy. Apex sets out that division clearly so a firm knows, before an incident, which losses it has protected and which it has left on its own balance sheet.
Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority. Firm reference number 724952. This entry is general information, not advice on any particular policy.