Mark Deem recounts the Morrisons tale of woe and considers its implications
The received wisdom was always that the greatest exposures created by a cyber security incident or data breach were the costs of remediation, business disruption and any regulatory fine. Whilst litigation risk existed, it was generally felt that such losses would only be suffered in the context of a security event introduced into the supply chain. Accordingly, cyber coverage for many was a rather limited affair – dealing with the costs of remedying a breach, any impact on trading activity and, to the extent permissible, penalties and fines.
This may all be about to change, following the decision of the High Court in Various Claimants v Wm Morrisons Supermarket PLC  EWHC 3113 (QB) and as a result of the much-heralded implementation of the GDPR in May.
The High Court ruling is particularly significant in that the supermarket chain in question was found vicariously liable for actions of a rogue employee, even though the Court was ultimately satisfied that the employer had itself broadly done nothing wrong.
The case related to the actions of a senior auditor of the Bradford-based supermarket chain who had, in late 2013 and following some internal disciplinary proceedings against him, stolen personal data (including names, addresses, gender, dates of birth, phone numbers, national insurance numbers, bank account details and salary information) of almost 100,000 employees. The stolen information was uploaded by the employee to a file-sharing website in early January 2014 and, just over two months later (and shortly before the public announcement of its annual financial reports), a CD of the material was delivered anonymously to three newspapers, exposing the data subjects to risk of identity fraud and financial losses.
Morrison’s management were immediately informed of the issue by the newspapers and the file-sharing website was taken down, within hours. Following internal investigations (and at some considerable cost to the business), the employee was arrested, charged and convicted of an offence under the Computer Misuse Act 1990 and under the Data Protection Act 1998. He is presently serving a term of eight years’ imprisonment.
That, however, was not the end of the matter for the supermarket as, in 2015, 5,518 affected employees commenced an action seeking compensation for breach of statutory duty under the Data Protection Act 1998 and, at common law, for the tort of the misuse of private information and an equitable claim for breach of confidence.
The claims were made on the basis that Morrisons were primarily liable for the data loss, failing which they were vicariously liable as employer for the actions of the rogue employee.
The Court held that, except in one respect which did not result in any loss, the supermarket had not breached any of the data protection principles and was not primarily liable. However, there was a sufficiently close connection between the actions of the employee and his employment for Morrisons to be found vicariously liable.
Permission was granted by the High Court for Morrisons to appeal the conclusion as to its vicarious liability, but not for a cross-appeal concerning the question of primary liability. In granting such permission, Mr Justice Langstaff noted his concern that, at least on one level, the judgment of the Court was operating to help the rogue employee further his aim of damaging his former employer.
The Court was not invited to consider quantum of loss, which will be assessed in due course.
In circumstances where it is estimated that more than half of all data incidents result from an insider threat and where we have Members of Parliament (albeit in a different context) tweeting that their staff have routine access to their passwords and log-in details, the fact that breaches such as this happen at all should surprise few people. What the judgment does, however, is serve as a salutary reminder of the ever-increasing importance of implementing adequate security measures within an organisation to ensure that all personal data is held securely and is accessible in very limited circumstances. These are measures which, crucially, need to be monitored and policed so that any incidents can be quickly identified and remedied.
From a security perspective, the judgment does not in itself create any additional standards or security measures for companies to deploy. Such measures have always been required as a matter of good security hygiene, but will be ever more important following the implementation of the GDPR.
The fact that the case was brought at all is perhaps noteworthy. Not only is this a case where employees are bringing an action against their employers, but this is one of the first occasions where a group action has successfully been brought for a data incident. Cases such as this are likely to increase yet further with the introduction of a collective actions for redress in respect of data breaches under the GDPR in May, as well as mandated notification of breach.
For now, the potential game-changer in this judgment is that, rather than merely looking at limited insurance coverage for non-compliance with data protection laws, companies should consider whether they are adequately covered for the behaviour of their employees – even though they may not have done anything wrong themselves.
Mark Deem is a Partner and commercial litigator at Cooley LLP.