The latest IBM Cost of a Data Breach Report 2021 reports that business email compromise was responsible for only 4% of breaches, but had the highest average total cost of the 10 initial attack vectors in the study, at $5.01 million. The second costliest was phishing ($4.65 million), followed by malicious insiders ($4.61 million), social engineering ($4.47 million), and compromised credentials ($4.37 million).

The Information Commissioner’s Office (ICO) has published a consultation on draft international data transfer agreement (IDTA) and guidance to replace Standard Contractual Clauses (SCCs) which adopts a different approach from the EU’s new SCCs for international data transfers mentioned in our July 2021 issue but includes an addendum which can be used alongside the EU SCCs. It includes a format for carrying out required risk assessments for transfers of data to countries which have not been granted adequacy status under UK GDPR.

In Warren v DSG Retail Ltd [2021] EWHC 2168 (QB), claims for breach of confidence, misuse of private information, and common law negligence arising from a data breach were struck out, leaving a claim for breach of the Data Protection Act 1998, in relation to the seventh data protection principle. Any misuse of data was by the attacker, not the defendant, claims are confined to breaches of data protection legislation, and there was no concurrent liability for negligence. The case has important practical implications because it effectively precludes recovering the cost of After The Event (ATE) insurance premiums.

We have advised many US firms on extra-territorial enforcement of the EU General Data Protection Regulation and UK GDPR contains similar provisions. Our website contains a link to The Sedona Conference Commentary on the Enforceability in U.S. Courts of Orders and Judgments Entered Under GDPR which contains a comprehensive analysis of the issues.

In a further transatlantic development, a claim for damages under UK GDPR was dismissed by the US courts as the UK courts were the appropriate forum. See Elliott v. Pubmatic, Inc. (4:21-cv-01497), California Northern District Court.

Links to the above can be found on

The European Data Protection Board (EDPB) has published Guidelines 07/2020 on the concepts of controller and processor in the GDPR. Although not technically binding in relation to UK GDPR this will nonetheless be of interest as it contains extensive guidance. This and other extensive data protection resources are on

‹ Back to Publications