Several recent events have highlighted the pressing nature of data security. The GDPR, with its threat of hefty fines, has served to focus the minds of corporate entities on this crucial issue
When one thinks of a data breach, one typically thinks of an anonymous third-party hacker; a rogue-state operative, or a lone wolf, stealing data to hold a company to ransom, to sell it on the dark web, or to disrupt an industry. Companies and their insurers are investing significant time and money to protect against these external threats. But what happens when a threat comes from within?When one thinks of a data breach, one typically thinks of an anonymous third-party hacker; a rogue-state operative, or a lone wolf, stealing data to hold a company to ransom, to sell it on the dark web, or to disrupt an industry. Companies and their insurers are investing significant time and money to protect against these external threats. But what happens when a threat comes from within?
A BREACH FROM WITHIN
Matthew Williams, senior associate, and Alexandra Jones, associate, both at Mayer Brown, highlight one such example: "Following an internal disciplinary proceeding, Mr Skelton, a senior IT internal auditor at Morrisons supermarket, developed a grudge against his employer. In November 2013, Mr Skelton had access to the payroll data of 100,000 employees, which he copied onto a personal USB stick and posted online from his home computer, seeking to frame a colleague."
Once it was established that Mr Skelton was the perpetrator, he was arrested, charged, convicted of fraud and sentenced to eight years' imprisonment. Subsequently, more than 5,000 Morrisons employees impacted by the scandal brought proceedings against Morrisons; both direct causes of action and, in the alternative, a claim that Morrisons was vicariously liable for Mr Skelton's wrongful acts.
The Mayer Brown lawyers note: "At first instance, Langstaff J rejected the argument that Morrisons bore any primary liability. However, he held that 'the wrongful conduct of the internal auditor [Mr Skelton] was so closely connected with acts which he had been authorised to do that it could fairly and properly be regarded as done while he was acting in the ordinary course of his employment, so as to give rise to vicarious liability'.
"Morrisons appealed, but it was dismissed by the Court of Appeal in October 2018. The court held that Mr Skelton's actions fell 'within the field of activities assigned to him by Morrisons' and agreed with Langstaff J that there was a 'seamless and continuous sequence' or 'unbroken chain of events' to support a finding of Morrisons' vicarious liability."
The lawyers said the Court of Appeal's comments in relation to Morrisons' submissions that a finding of vicarious liability would place an unreasonable burden on Morrisons and other innocent employers in similar cases in the future, will be of interest to insurers.
The judges noted: "The solution is to insure against such catastrophes-¦ The fact of a defendant being insured is not a reason for imposing liability, but the availability of insurance is a valid answer to the Doomsday or Armageddon arguments put forward-¦ on behalf of Morrisons."
COVER CONCERNS
In the light of the Morrisons decision, which confirms that employers may be vicariously liable for data breaches carried out by their employees, even where an employee's motive is to damage the employer and the acts are outside of working hours, insurers may be concerned to understand how their insurance policies, including their professional indemnity, crime and cyber liability policies, might respond.
The Mayer Brown pair warn:
- Professional indemnity and cyber liability policies may exclude coverage for a claim arising out of intentional misconduct by an employee
- It is possible that such claims could be covered under a crime policy, although these tend to cover more readily tangible loss as a result of employee wrongdoing, such as internal theft of cash, as opposed to defence costs and damages resulting from a finding of vicarious liability for the actions of an employee.
"The issue is further complicated by the fact that the claimants in Morrisons are current and former employees. The policies above often contain 'insured v insured' exclusions and it would have to be seen whether insurers would seek to exclude a claim for vicarious liability brought by an insured's employees," say Mr Williams and Ms Jones.
"A further consequence of the Morrisons decision may be that if employers are more easily held accountable for employee misconduct, insurers are less likely to insure against that risk, or may seek higher premiums to cover such a risk.
"Insurers and insureds must bear these important coverage issues in mind when considering the scope of cover provided to the insureds in the event of data protection breaches by their own employees and, in particular, may want to consider whether such a risk could be incorporated within their cyber liability policy coverage."
GOOGLE FINED RECORD €50M IN FIRST GDPR TEST
France's data protection watchdog fined Alphabet's Google €50m ($57m) for breaching European Union online privacy rules.
Reuters reported it was the biggest such penalty levied against a US tech giant, after the French regulator said Google lacked transparency and clarity in the way it informs users about its handling of personal data and failed to properly obtain their consent for personalised ads."The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent," the regulator CNIL said.
Helen Bourne, partner at Clyde & Co, notes: "It is clear from the CNIL's decision that claiming to be compliant is not enough and companies need to consider how clear, unambiguous and easily accessible information about data protection is. The CNIL has viewed Google's data protection from the perspective of the data subject and this is the perspective from which potential risks should be considered."
- The EU's General Data Protection Regulation, the biggest shake-up of data privacy laws in more than two decades, came into force in May 2018. It allows users to better control personal data and gives regulators the power to impose fines of up to 4% of global revenue for violations.