Skip to main content
Journal Magazine: Informing Workplace and Facilities Management Professionals - return to the homepage Journal magazine logo
  • Search
  • Visit Journal Magazine on Instagram
  • Visit Journal Magazine on Twitter
  • Visit @Journal_Mag on Facebook
Visit the website of the Chartered Insurance Institute Logo of the Chartered Insurance Institute

Main navigation

  • Home
  • News
  • News analysis
  • Features
  • Study Room
    • A-Z
    • Question and Answer (Q&A)
    • Study Room Features
  • Opinion
  • CII Radio
  • Events
  • Digital Magazine
Quick links:
  • Home
  • Features

DATA BREACHES AND VICARIOUS LIABILITY

Share on
  • Twitter
  • Facebook
  • Linked in
  • Mail
  • Print
Open-access content 28th February 2019

Article hero image.

Several recent events have highlighted the pressing nature of data security. The GDPR, with its threat of hefty fines, has served to focus the minds of corporate entities on this crucial issue

When one thinks of a data breach, one typically thinks of an anonymous third-party hacker; a rogue-state operative, or a lone wolf, stealing data to hold a company to ransom, to sell it on the dark web, or to disrupt an industry. Companies and their insurers are investing significant time and money to protect against these external threats. But what happens when a threat comes from within?When one thinks of a data breach, one typically thinks of an anonymous third-party hacker; a rogue-state operative, or a lone wolf, stealing data to hold a company to ransom, to sell it on the dark web, or to disrupt an industry. Companies and their insurers are investing significant time and money to protect against these external threats. But what happens when a threat comes from within?

A BREACH FROM WITHIN

Matthew Williams, senior associate, and Alexandra Jones, associate, both at Mayer Brown, highlight one such example: "Following an internal disciplinary proceeding, Mr Skelton, a senior IT internal auditor at Morrisons supermarket, developed a grudge against his employer. In November 2013, Mr Skelton had access to the payroll data of 100,000 employees, which he copied onto a personal USB stick and posted online from his home computer, seeking to frame a colleague."

Once it was established that Mr Skelton was the perpetrator, he was arrested, charged, convicted of fraud and sentenced to eight years' imprisonment. Subsequently, more than 5,000 Morrisons employees impacted by the scandal brought proceedings against Morrisons; both direct causes of action and, in the alternative, a claim that Morrisons was vicariously liable for Mr Skelton's wrongful acts.

The Mayer Brown lawyers note: "At first instance, Langstaff J rejected the argument that Morrisons bore any primary liability. However, he held that 'the wrongful conduct of the internal auditor [Mr Skelton] was so closely connected with acts which he had been authorised to do that it could fairly and properly be regarded as done while he was acting in the ordinary course of his employment, so as to give rise to vicarious liability'.

"Morrisons appealed, but it was dismissed by the Court of Appeal in October 2018. The court held that Mr Skelton's actions fell 'within the field of activities assigned to him by Morrisons' and agreed with Langstaff J that there was a 'seamless and continuous sequence' or 'unbroken chain of events' to support a finding of Morrisons' vicarious liability."

The lawyers said the Court of Appeal's comments in relation to Morrisons' submissions that a finding of vicarious liability would place an unreasonable burden on Morrisons and other innocent employers in similar cases in the future, will be of interest to insurers.

The judges noted: "The solution is to insure against such catastrophes-¦ The fact of a defendant being insured is not a reason for imposing liability, but the availability of insurance is a valid answer to the Doomsday or Armageddon arguments put forward-¦ on behalf of Morrisons."

COVER CONCERNS

In the light of the Morrisons decision, which confirms that employers may be vicariously liable for data breaches carried out by their employees, even where an employee's motive is to damage the employer and the acts are outside of working hours, insurers may be concerned to understand how their insurance policies, including their professional indemnity, crime and cyber liability policies, might respond.

The Mayer Brown pair warn:

  • Professional indemnity and cyber liability policies may exclude coverage for a claim arising out of intentional misconduct by an employee
  • It is possible that such claims could be covered under a crime policy, although these tend to cover more readily tangible loss as a result of employee wrongdoing, such as internal theft of cash, as opposed to defence costs and damages resulting from a finding of vicarious liability for the actions of an employee.

"The issue is further complicated by the fact that the claimants in Morrisons are current and former employees. The policies above often contain 'insured v insured' exclusions and it would have to be seen whether insurers would seek to exclude a claim for vicarious liability brought by an insured's employees," say Mr Williams and Ms Jones.

"A further consequence of the Morrisons decision may be that if employers are more easily held accountable for employee misconduct, insurers are less likely to insure against that risk, or may seek higher premiums to cover such a risk.

"Insurers and insureds must bear these important coverage issues in mind when considering the scope of cover provided to the insureds in the event of data protection breaches by their own employees and, in particular, may want to consider whether such a risk could be incorporated within their cyber liability policy coverage."


GOOGLE FINED RECORD €50M IN FIRST GDPR TEST

France's data protection watchdog fined Alphabet's Google €50m ($57m) for breaching European Union online privacy rules.

Reuters reported it was the biggest such penalty levied against a US tech giant, after the French regulator said Google lacked transparency and clarity in the way it informs users about its handling of personal data and failed to properly obtain their consent for personalised ads."The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent," the regulator CNIL said.

Helen Bourne, partner at Clyde & Co, notes: "It is clear from the CNIL's decision that claiming to be compliant is not enough and companies need to consider how clear, unambiguous and easily accessible information about data protection is. The CNIL has viewed Google's data protection from the perspective of the data subject and this is the perspective from which potential risks should be considered."

  • The EU's General Data Protection Regulation, the biggest shake-up of data privacy laws in more than two decades, came into force in May 2018. It allows users to better control personal data and gives regulators the power to impose fines of up to 4% of global revenue for violations.

You may also be interested in...

  • WHAT'S THE DAMAGE?
  • Motor Telematics Thinking Inside the box
  • THE DARK SIDE
Filed in:
Features
Topics:
Legal
Share
  • Twitter
  • Facebook
  • Linked in
  • Mail
  • Print

Most-Popular

 

 

BECOME A MEMBER

BECOME A MEMBER

SUBSCRIBE TO PRINT

SUBSCRIBE TO PRINT
The-Journal_NEW.png
​
FOLLOW US
Twitter
Facebook
Youtube
CONTACT US
Tel: +44 (0) 20 7880 6200
Email
Advertise with us
​

About the CII

About us
Membership
Qualifications
Events

The Journal

Digital magazine
Podcasts
Blog
News

General Information

Privacy Policy
Terms & Conditions
Cookie Policy

Get in touch

Contact us
Advertise with us
Write for The Journal
Want to receive The Journal?

The Journal Magazine is © 2020 Redactive Publishing Limited

All rights reserved.