You are viewing 1 of your 1 free articles
High Court rules landlord entitled to additional £6m indemnity from insurance broker after data breach
A housing association’s broker has been found liable for “breach of duty” in a landmark High Court judgment.
High Court rules landlord entitled to additional £6m indemnity from insurance broker after data breach #ukhousingWatford Community Housing (WCH) brought a professional negligence claim against Arthur J Gallagher Insurance Brokers for failing to make “timely notifications” of a data breach to one of three of its insurers.
Deputy High Court Judge David Bailey found that Gallagher was liable to WCH for a “breach of duty” that deprived the claimant of up to £5m in potential indemnity.
In March 2020, one of the landlord’s employees accidentally sent an email that included personal data such as the sexual orientation and ethnicity of 3,544 tenants and employees to 3,167 recipients.
Read more
WCH had three insurance policies at the time, including a “cyber policy” underwritten by Pen Underwriting on behalf of Lloyds for up to £1m; a “combined policy”, underwritten by QBE with a £5m limit; and a “professional indemnity (PI) policy” underwritten by Hiscox of up to £5m.
The court found that Gallagher did not tell WCH to notify two of its insurers of the breach until the coverage periods had expired – leaving the housing association without £5m of the cover it had paid for.
WCH claimed that Gallagher advised it to notify only its cyber insurers, rather than the combined and PI policyholders.
Judge Bailey’s ruling stated that WCH was entitled to the full £11m indemnity. Gallagher’s legal team had argued it would only have been entitled to a cap of £5m cover regardless, due to the terms of the policies, which the judge dismissed.
The email data breach gave rise to 1,136 complaints against WCH. The housing association has so far settled or is attempting to settle 1,050 valid claims against it.
WCH expects it will end up paying more than the £6m it has already paid out over the breach. The period for claims to be made lasts until 23 March 2026.
“But for the defendant’s breach of duty, the claimant would have had the benefit of triple insurance against its losses from the data breach under a horizontal layer of primary insurance providing £1m of cover under the cyber policy, £5m of cover under the combined policy, and a further £5m of cover (plus defence costs) under the PI policy,” Judge Bailey’s ruling stated.
“The claimant had paid premium for a total of £11m of coverage and, in my view, there is no legitimate basis on which its entitlement to an indemnity should or can be reduced to a total of £5m.”
He concluded: “But for the defendant’s negligence, the claimant would have been legally entitled to recover an indemnity under the three policies in respect of the whole of its loss caused by the data breach up to a combined limit of £11m.
“In my judgment, therefore, the claimant is entitled to damages from the defendant in an amount equivalent to the losses that the insurers would have been legally liable to pay over and above the £6m that the claimant has already recovered.”
Both WCH and Gallagher declined to comment.
Sign up for our regulation and legal newsletter
Already have an account? Click here to manage your newsletters
Related stories
