Vicarious liability ruling could be game changer for cyber insurers

2018 Informa plc. This article was originally published in Insurance Day, January 2018

“If the finding of vicarious liability on the part of Morrisons is upheld, insurers will need to consider the potential of significantly increased liability risk in data breach litigation”

The High Court in London has handed down a judgment establishing that, as a matter of English law, a company can be held vicariously liable in respect of data breaches caused by its employees.

This means a company can be held liable to compensate affected data subjects for loss – including non-pecuniary loss such as upset and distress – caused by a data breach, even when no wrongdoing has been committed by the company.

The judgment and its implications will be of interest to insurers across all liability lines – not least cyber and employers’ liability insurers – which will need to start considering whether the judgment could expose insured firms to a greater liability risk than was previously the case.

But the long-term significance of the judgment is only likely to become clear in due course. The judgment grants the defendant leave to appeal against the finding of vicarious liability, having given a very broad interpretation to the various requirements which need to be satisfied for vicarious liability to be established.

In this regard, the judgment notably acknowledges the finding of vicarious liability could lead to the paradoxical result of furthering the intention of the rogue employee – which was to cause financial harm to his employer.

It remains to be seen whether the findings of the judgment will survive the appeal process. In addition, the judgment does not deal with the important issue of quantum, so it is not clear what level of damages award might be made against a company (and perhaps ultimately passed on to insurers) in these circumstances.

In 2014, a rogue employee of Morrisons supermarkets leaked the payroll data of almost 100,000 Morrisons employees – including their names, addresses, National Insurance Numbers, bank accounts and salaries. The employee, Andrew Skelton, was ultimately given an eight-year prison sentence for various criminal offences as a result of his actions.

A group of 5,518 former and current employees of Morrisons subsequently brought a claim against Morrisons in the English courts, alleging breaches by Morrisons of the Data Protection Act 1998 (DPA), as well as an equitable claim for breach of confidence and a tort claim for misuse of private information. The claimants argued Morrisons should be held directly liable for the losses arising out of the breach or vicariously liable for the acts of Skelton.

Morrisons defended the claims on the basis it could not be held liable, either directly or vicariously, for Skelton’s unauthorised criminal misuse of data to which he had access. The court held primary liability could not be imposed on Morrisons under the DPA for breach of confidence or for misuse of private information. This finding was made on the basis it was not Morrisons itself which caused the data breach – rather, the breach was caused by Skelton, acting without authority and criminally.

However, vicarious liability could be imposed on Morrisons in relation to the actions of Skelton. In this regard, the court referred to the existing body of case law in finding that: an employer such as Morrisons can be held liable for the acts of their employees “in the conduct of the employees’ employment” and Skelton’s actions in leaking the data were committed in the conduct of his employment.

The court gave this term the broad interpretation which the Supreme Court applied in 2016 (Mr AM Mohamud v WM Morrison Supermarkets) in making this determination. The drafting of the DPA does not preclude the imposition of vicarious liability on a company in circumstances where direct liability for a breach of the DPA would rest with an employee (in this case, Skelton).

Morrisons’ appeal against the judgment is expected to be lodged shortly. The judgment does not allow for a cross-appeal on the issue of whether Morrisons should be primarily, as well as vicariously, liable – but it is possible the claimants might seek leave to appeal this point as well.

As the judgment does not deal with the issue of quantum, the compensation to be awarded to the affected employees as a result of Morrisons’ vicarious liability is also unknown. There remains much to play for in the case and the appeal process will be closely monitored by UK employers and their insurers in the coming months.

If the finding of vicarious liability on the part of Morrisons is upheld, insurers will need to consider a potentially greater liability risk for their insured companies. Underwriters would be well-advised to consider how to assess this risk prior to placing or renewal, which may involve an analysis – to the extent possible – of the extent to which an insured company’s employees could cause data breaches in the conduct of their employment.

In the meantime however, both the appeal process relating to the recent judgment – and the terms of any future judgment relating to the quantum of any damages award against Morrisons – should be watched closely. It may be some time before we know the full impact that Morrisons will have on the liability insurance market.

Ffion Flockhart is a partner and Steven Hadwin an associate at Norton Rose Fulbright