The received wisdom was always that the greatest exposures
created by a cyber security incident or data breach were the costs of
remediation, business disruption and any regulatory fine. Whilst litigation
risk existed, it was generally felt that such losses would only be suffered in
the context of a security event introduced into the supply chain. Accordingly,
cyber coverage for many was a rather limited affair – dealing with the costs of
remedying a breach, any impact on trading activity and, to the extent
permissible, penalties and fines.
This may all be about to change, following the decision of
the High Court in Various Claimants v Wm Morrisons Supermarket
PLC [2017] EWHC 3113 (QB) and as a result of the much-heralded
implementation of the GDPR in May.
The High Court ruling is particularly significant in that
the supermarket chain in question was found vicariously liable for actions of a
rogue employee, even though the Court was ultimately satisfied that the
employer had itself broadly done nothing wrong.
Background
The case related to the actions of a senior auditor of the
Bradford-based supermarket chain who had, in late 2013 and following some
internal disciplinary proceedings against him, stolen personal data (including
names, addresses, gender, dates of birth, phone numbers, national insurance
numbers, bank account details and salary information) of almost 100,000
employees. The stolen information was uploaded by the employee to a
file-sharing website in early January 2014 and, just over two months later (and
shortly before the public announcement of its annual financial reports), a CD
of the material was delivered anonymously to three newspapers, exposing the
data subjects to risk of identity fraud and financial losses.
Morrison’s management were immediately informed of the issue
by the newspapers and the file-sharing website was taken down, within hours.
Following internal investigations (and at some considerable cost to the
business), the employee was arrested, charged and convicted of an offence under
the Computer Misuse Act 1990 and under the Data Protection Act 1998. He is
presently serving a term of eight years’ imprisonment.
That, however, was not the end of the matter for the
supermarket as, in 2015, 5,518 affected employees commenced an action seeking
compensation for breach of statutory duty under the Data Protection Act 1998
and, at common law, for the tort of the misuse of private information and an
equitable claim for breach of confidence.
The claims were made on the basis that Morrisons were
primarily liable for the data loss, failing which they were vicariously liable
as employer for the actions of the rogue employee.
The Court held that, except in one respect which did not
result in any loss, the supermarket had not breached any of the data protection
principles and was not primarily liable. However, there was a sufficiently
close connection between the actions of the employee and his employment for
Morrisons to be found vicariously liable.
Permission was granted by the High Court for Morrisons to
appeal the conclusion as to its vicarious liability, but not for a cross-appeal
concerning the question of primary liability. In granting such permission, Mr
Justice Langstaff noted his concern that, at least on one level, the judgment
of the Court was operating to help the rogue employee further his aim of
damaging his former employer.
The Court was not invited to consider quantum of loss, which
will be assessed in due course.
Comment
In circumstances where it is estimated that more than half
of all data incidents result from an insider threat and where we have Members
of Parliament (albeit in a different context) tweeting that their staff have
routine access to their passwords and log-in details, the fact that breaches
such as this happen at all should surprise few people. What the judgment does, however,
is serve as a salutary reminder of the ever-increasing importance of
implementing adequate security measures within an organisation to ensure that
all personal data is held securely and is accessible in very limited
circumstances. These are measures which, crucially, need to be monitored and
policed so that any incidents can be quickly identified and remedied.
From a security perspective, the judgment does not in itself
create any additional standards or security measures for companies to deploy.
Such measures have always been required as a matter of good security hygiene,
but will be ever more important following the implementation of the GDPR.
The fact that the case was brought at all is perhaps
noteworthy. Not only is this a case where employees are bringing an action
against their employers, but this is one of the first occasions where a group
action has successfully been brought for a data incident. Cases such as this
are likely to increase yet further with the introduction of a collective actions
for redress in respect of data breaches under the GDPR in May, as well as
mandated notification of breach.
For now, the potential game-changer in this judgment is
that, rather than merely looking at limited insurance coverage for
non-compliance with data protection laws, companies should consider whether
they are adequately covered for the behaviour of their employees – even though
they may not have done anything wrong themselves.
Mark Deem is a Partner and commercial litigator at Cooley
LLP.
