Gallagher on the hook for up to £5m damages

In March 2020, an employee of Watford Community Housing sent an email to more than 3000 recipients inadvertently disclosing the personal data of more than 3000 tenants and employees.

The data breach gave rise to more than 1000 complaints, the  majority of which were deemed to be valid and which WCH either settled or are still in the process of settling.

WCH subsequently brought a claim for negligence against Gallagher, alleging the broker had failed to notify one of its insurers in a timely manner.

This means that, but for the defendant’s negligence, the claimant would have been legally entitled to recover an indemnity under the three policies in respect of the whole of its loss caused by the data breach up to a combined limit of £11m

A court judgment handed down earlier this month detailed Gallagher admitted it had been negligent but argued the breach of duty did not cause any loss to double insurance provisions in WCH’s policies.

The case was heard by David Bailey KC, sitting as a deputy High Court judge, in December last year.

Three policies

At the time of the data breach, WCH held three policies that included relevant cover: a cyber policy underwritten by Pen Underwriting on behalf of insurers at Lloyd’s, a QBE combined policy, and a Hiscox professional indemnity policy.

The cyber policy provided data breach cover up to an aggregate limit of £1m, while the QBE and Hiscox policies both provided cover up to a £5m limit.

While Gallagher notified the cyber policy insurers of the data breach shortly after the incident, QBE and Hiscox were not notified until after the end of the policy period, leading both to decline cover.

QBE later agreed to indemnify WCH, whereas Hiscox maintained its declinature and the parties agreed it was entitled to do so.

The upshot of this was that, between the cyber and QBE policies, WCH has £6m of cover available to it. Of this, the court judgment detailed the £1m cyber policy has been exhausted and the £5m QBE limit has been “substantially eroded”.

It is anticipated the cost of the data breach claims against WCH will exceed £6m, leaving it having to pay out of pocket and facing the possibility of further claims until the end of the limitation period in March 2026.

As such, WCH sued Gallagher, arguing the broker’s actions cost it £5m worth of cover that would’ve been available under the Hiscox policy.

Gallagher’s case

Gallagher argued even if it had notified all insurers of the breach in a timely manner, the cover available to WCH would’ve been capped at £5m – less than the housing trust eventually found available to it.

The broker said ‘other insurance’ or ‘non-contribution’ clauses in the three policies – designed to restrict cover in the event that a policyholder has other valid cover under another policy – cancelled each other out, resulting in WCH being triple insured.

It argued in this situation, the maximum total indemnity recoverable by an insured could not exceed the highest limit among the relevant policies, in this case £5m.

It suggested in this case, all insurers involved would’ve been liable to split the first £1m of cover, with QBE and Hiscox then being liable to split any liability above £1m up to £5m.

Housing trust’s case

WCH contested Gallagher’s assertion that the delay hadn’t resulted in any loss, arguing but for that breach of duty it would’ve been entitled to either £10m or £11m, plus additional cover from Hiscox for defence costs, which were not included in the relevant limit in the Hiscox policy.

The housing trust accepted the ‘other insurance’ clauses in the cyber and QBE policies cancelled each other out, but it argued the clause in the Hiscox policy was “in materially different terms”.

As a result, the housing trust stated had Gallagher notified Hiscox when it ought to have done, WCH would’ve had the benefit of an additional layer of £5m excess cover above a layer of either £5m or £6m of primary cover provided by the other two policies.

The housing trust also disputed Gallagher’s submission as to what ought to happen in cases of double – or in this case, triple – insurance.

It argued that even if all the clauses cancelled each other out, WCH would’ve been able to claim under the policies in whichever order it wished up to a combined limit of £11m plus defence costs.

Ruling

The judge was unconvinced by WCH’s argument that the difference in the way the ‘other insurance’ clause was drafted in the Hiscox policy effectively turned it into an additional layer of excess cover, instead finding all three clauses cancelled each other out.

However, he also found against Gallagher’s case on what the effect of triple insurance would’ve been, ruling WCH would’ve been entitled to claim up to the combined limits of all three polices.

“This means that, but for the defendant’s negligence, the claimant would have been legally entitled to recover an indemnity under the three policies in respect of the whole of its loss caused by the data breach up to a combined limit of £11m,” he said.

As a result, the court found that WCH is entitled to damages from Gallagher in the amount of any losses insurers would’ve been liable to pay over and above the £6m of cover available to the housing trust from QBE and the cyber policy insurers.

The total damages Gallagher could find itself on the hook for therefore stand at £5m of liability costs, plus any legal costs the Hiscox policy would have covered.

Gallagher declined to comment.