Good news for corporates on cyber insurance

The UK Supreme Court has delivered good news to corporates, agreeing that the Morrisons supermarket group was not vicariously liable for the actions on an employee who leaked staff data back in 2014.

The ruling is good news for insureds – it was the first data class action in the UK of its type and was a much-anticipated judgment, as it sets a precedent that will shape the future risk profile of cyber policies.

The Supreme Court allowed an appeal by WM Morrison Supermarkets Plc. (Morrisons) against a Court of Appeal decision that the supermarket was vicariously liable for a deliberate data breach by a disgruntled ex-employee, which exposed personal data of almost 100,000 of its employees.

Background

In 2014, Andrew Skelton, an employee of Morrisons, posted personal details of almost 100,000 Morrisons employees on a file-sharing website and later notified the press of the data breach. The personal information published included details of salaries and bank accounts, which Mr Skelton had access to as part of an auditing task he was asked to carry out.

As soon as Morrisons became aware of the breach, it took action to remedy the situation and mitigate financial losses stemming from the data leak. Morrisons was not found liable for any wrongdoing. Mr Skelton was convicted under the Data Protection Act 1998 (DPA) and Fraud Act 2006 and sentenced to eight years in prison.

In the first action of its kind, 5,518 of the employees affected by the breach brought a class action against Morrisons, alleging that the supermarket was directly or vicariously liable for the breach of the DPA and/or misuse of private information and/or breach of confidence.  The High Court found that Morrisons did not have direct liability under the DPA (or under common law or equity) but was vicariously liable for the data breach. In respect of the first limb (direct liability), the court held that Mr Skelton acted independently from his employer and in doing so became the data controller who breached the DPA.

In respect of establishing vicarious liability, the judge rejected arguments that the DPA excluded vicarious liability from a breach of that Act. The court rejected further arguments that Mr Skelton was not acting in the course of his employment and held that it did not make any difference that the breach occurred away from the workplace during non-working hours.

 

Supreme Court judgment

The Supreme Court hearing was heard on 6-7 November 2019. The issues considered by the Supreme Court were:

  • Whether the DPA excludes the application of vicarious liability to a breach of that Act, or for misuse of private information or breach of confidence
  • Whether the Court of Appeal erred in concluding that the disclosure of data by the appellant’s employee occurred in the course of his employment, for which the appellant should be held vicariously liable.

In allowing the appeal, the Supreme Court unanimously held:

  • The Court of Appeal had misunderstood the principles governing vicariously liability. In considering the application of the ‘close connection’ limb of the two-stage test for establishing vicarious liability, the Supreme Court held that employers will not be liable for an employee’s wrongful act where that act is not engaged in furthering the employer’s business, and is an effort to deliberately harm the employer as part of a vendetta. Consequently, no vicarious liability arose in this case.
  • The argument by Morrisons that the DPA excluded vicariously liability was “unpersuasive”. While it was not necessary to express a view on this point in light of the conclusion that the appellant was not vicariously liable for Mr Skeleton’s actions, the court held that imposing vicarious statutory liability was “not inconsistent” with the existence of vicarious liability at common law. In particular, it noted: “Imposing statutory liability on a data controller like Mr Skelton is not inconsistent with the co-existence of vicarious liability at common law, whether for breach of the DPA or for a common law or equitable wrong, as the DPA says nothing about a data controller’s employer. It is irrelevant that a data controller’s statutory liability under the DPA is based on a lack of reasonable care, while vicarious liability for an employee’s conduct requires no proof of fault. The same contrast exists at common law between, for example, an employee’s liability in negligence and an employer’s vicarious liability. It makes no difference that an employee’s liability may arise under statute instead [54-55]. The appeal is therefore allowed [56].”

Implications

This case represents the first data class action in the UK of its type and was a much-anticipated judgment.

The Supreme Court’s findings of fact in relation to Mr Skelton’s role and the reason why Mr Skelton acted wrongfully are of particular relevance. Equally, the Supreme Court has provided much-needed clarity on the potential scope of vicarious liability as it may apply to “rogue employees” and “insider threat scenarios” in the context of data breach incidents.

There is a question to be raised as to whether any potential avenues of pursuing vicarious liability claims against employers remain for affected data subjects in future cases.

While the affected data subjects may be prevented from pursuing a class action on grounds of vicarious liability in circumstances where the employee was held to be acting outside of the course of employment when the data breach occurred, the Supreme Court has left the door open for class actions to be brought under the DPA in circumstances where an employer is held vicariously liable for a data breach.

There are also likely to be other routes for a class action that the cyber insurance market will be exposed to. This Supreme Court decision does however narrow one particular sub-species of potential grounds for data subjects to claim.

In the next few weeks, we will be considering the implications of this landmark judgment and providing further insights focusing on its impact on the cyber insurance landscape.

Contributed by Helen Bourne, partner, and Rosehana Amin, senior associate, at Clyde & Co

Back to top button