In the following guest post, Francis Kean, Executive Director FINEX Willis Towers Watson, take a look at an interesting and arguably surprising recent U.K. judicial decision in which a supermarket chain was held liable for the unauthorized Internet disclosure of its employees’ personal data. Francis has some interesting observations about the decision’s possible implications as well. A version of this article previously was published on the Willis Towers Watson Wire blog (here). I would like to thank Francis for allowing me to publish his article as a guest post. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Francis’s article:
You would think that if a company was found both by the relevant regulatory authorities and by the courts to have taken all reasonable steps to protect personal data, it would have a complete answer to a data breach claim. Not so. That was the surprising (to some) outcome of a recent Court of Appeal decision claim in a case concerning a well-known UK supermarket chain. The judgment can be found here. The implications of this case for all companies and for the boards which preside over them should not be ignored.
The facts are stark. One of the supermarket’s senior employees deliberately copied the personal data of nearly 100,000 employees onto a personal USB stick. Some months later (at his own home) he posted all this personal data on a file sharing website. The supermarket was alerted and the website was taken down. The ex-employee was later prosecuted and jailed for 8 years for offences under the Computer Misuse Act 1990 and the Data Protection Act 1998. Some 5,500 of the affected employees then joined group litigation against the supermarket in the UK High Court alleging against it both primary and vicarious liability for: (i) misuse of private information; (ii) breach of confidence; and, (iii) breach of the Data Protection Act. (The case relates to an era before the introduction of GDPR)
Primary and Vicarious Liability
The Court cleared the company of primary liability on the basis that it had not itself breached any of the data protection principles (except in one respect which was not causative of any loss). The direct claim against it for misuse of private information and breach of confidentiality also failed. By contrast, the Court found the company vicariously liable for all of the criminal actions of its former employee. It was on this limb of the High Court’s decision that the supermarket appealed.
One of the principal grounds of appeal was that because the former employee’s conduct had occurred outside the scope of his employment, the company could not and should not be held liable. The Court of Appeal found that because the employee was specifically entrusted with payroll data, there was a sufficient connection between his authorised tasks and the wrongful acts perpetrated by him. It held that “there was an unbroken thread that linked his work to the disclosure: what happened was a seamless and continuous sequence of events“.
Public Policy Considerations
The Court of Appeal specifically rejected the public policy based argument run by the supermarket that vicarious liability in similar scenarios imposes a disproportionate burden on supposedly “innocent” employers. It said:
“There have been many instances reported in the media in recent years of data breaches on a massive scale caused by either corporate system failures or negligence by individuals acting in the course of their employment. These might, depending on the facts, lead to a large number of claims against the relevant company for potentially ruinous amounts. The solution is to insure against such catastrophes; and employers can likewise insure against losses caused by dishonest or malicious employees. We have not been told what the insurance position is in the present case, and of course it cannot affect the result. The fact of a defendant being insured is not a reason for imposing liability, but the availability of insurance is a valid answer to the Doomsday or Armageddon arguments put forward…”(emphasis added)
Failure to Insure
The obvious public policy consideration behind the doctrine of vicarious liability is to provide a means of compensating innocent victims of corporate activity in circumstances where the company’s employees responsible for the relevant conduct do not have sufficiently deep pockets. It is interesting that the Court of Appeal’s answer to the countervailing policy consideration that “innocent” companies will be unfairly punished by the application of the principle is (in large part) the assumed availability of adequate and relevant insurance. In principle, both the losses which the supermarket chain suffered and those in respect of which it was being sued are probably insurable under a cyber policy but the question as to the availability and cost of such insurance are more open.
How long will we have to wait before we see an inventive claimants’ lawyer making the case based on the Court of Appeal’s conclusion that that the negligent failure by a company’s board to take out adequate insurance to protect a company from this form of no fault liability has caused it damage?