Insurance ramifications from UK Supreme Court decisions
Liz Booth explores the ramifications two court rulings will have for cyber and liability insurance providers
Cyber and liability insurers were breathing a huge sigh of relief after the UK Supreme Court ruled in two cases -- Morrisons and Barclays -- effectively deciding that companies could not be vicariously liable for the actions of their employees.
In the first case, Barclays Bank plc v Various Claimants, the Supreme Court has overturned the Court of Appeal decision finding that Barclays was not liable for sexual assaults committed by a medical practitioner in the course of medical examinations carried out at Barclays' request. The examinations were carried out either as a precursor to or during the claimants' employment with Barclays.
The doctor's work, agreed the Supreme Court, was considered part of a network of many others who did work for Barclays but were clearly independent contractors, "ranging from the company hired to clean its windows, to the auditors hired to audit its books".
This decision reiterates the existence of the 'independent contractor' defence to claims of vicarious liability, carrying not only important implications for the law of vicarious liability but also the scope of abuse claims for which parties can be liable, along with the associated exposure for liability insurers.
Greg Woods, a partner at law firm Kennedys, says: "From a legal perspective, it clarifies the court's approach to determining whether the relationship between an employer and contractor is sufficiently akin to an employment relationship to make it right to hold the employer liable for the contractor's actions."
In Morrisons, the case did involve an employee, Andrew Skelton, who leaked payroll details. The Supreme Court ruled the leak by an internal auditor of payroll data of some 100,000 employees was "revenge".
Greig Anderson, a partner in Herbert Smith Freehills insurance disputes group, says: "This judgment is good news for corporates and their insurers."
SIGH OF RELIEF?
So, the question is: are insurers off the hook for good? Not necessarily so, is the resounding reply from lawyers and brokers alike.
Mr Anderson warns: "Insurers may therefore be breathing a sigh of relief -- but only up to a point. Vicarious liabilities for data breaches by rogue employees are insurable in principle, but these claims are not doomsday for the insurance market. That's because the main risk for corporates -- and insurers -- is direct liability claims and related losses, which continue apace on an upwards trajectory."
Vanessa Cathie, account executive, global professional and financial risks at insurance brokerage Lockton, agrees: "Far from being an absolute 'get out of jail free' card, little has actually changed under the law itself. The Morrisons result is essentially a 'recalibration' of the law which had become a little blurred."
Far from being an absolute 'get out of jail free' card, little has actually changed under the law itself
And she stresses: "Another fact remains clear: a frolic can be a dangerous thing. What happened at Morrisons could have taken place at any other company: a disgruntled employee (Mr Skelton) did not respond well to disciplinary action."
For the future, the concern remains the rise of class actions and the threat of massive claims hitting the insurance market. As Ms Cathie explains: "Despite Morrisons' swift actions, and advice that 'we've seen absolutely no evidence of anyone suffering any direct financial loss', the supermarket was not able to quash a class action by 9,000 employees under common law and the Data Protection Act 1998 (as was in place at the time) for misuse of private information and breach of confidence -- the first data leak class action in the UK."
She points out that Morrisons lost a battle in the Court of Appeal in October 2018, when the court upheld the High Court's decision that the company was vicariously liable for the actions of its rogue employee. As well as the exposure to compensation claims, the supermarket chain faced considerable negative publicity.
Interestingly, Ms Cathie adds: "From an insurance perspective, there was a consideration by the Court of Appeal in the Morrisons case that an employer holding insurance for losses arising from acts of malicious employees was a relevant factor in the finding of vicarious liability. In the Supreme Court however, the existence of any insurance policy covering the actions of a rogue employee was not deemed a relevant issue in determining the employer's liability.
"This will bring some comfort to employers that where an employee is acting outside the scope of employment, those actions should not erode certain insurances," says Ms Cathie.
Hollie Mortlock, head of finex financial institutions product development at Willis Towers Watson, reminds the market: "The abiding principle in cases involving vicarious liability remains whether there can be said to be sufficient connection between a rogue employee's unlawful conduct and the course of their employment."
For cyber insurers, Ms Mortlock has a warning: "It is worth noting, however, that the events that gave rise to the Morrisons action predated the introduction of the General Data Protection Regulation (GDPR). Different considerations would have come into play if the class action had centred around Morrisons obligations as a data controller under the GDPR, rather than on traditional common law principles of vicarious liability.
"While the Supreme Court clarified the correct application of the vicarious liability test, employers can still be held liable for data breaches caused by its employees and therefore they should still ensure they have robust protocols and security measures to protect personal data and comply with their obligations under data protection legislation."
CLASS ACTION WARNING
A key aspect of these cases was the use of class actions. Julian Copeman, a partner in Herbert Smith Freehills' disputes practice, says: "Data breach class actions are on the rise in the UK and the judgment should be seen as a setback, not a roadblock. Funders and claimant firms are looking to build class actions in relation to data breaches even where there is no specific evidence of individual damage.
"They are seeking damages for the whole class for 'distress' or a standardised claim of loss of access to data, and even a nominal damages award per claimant could lead to a significant amount across a class of tens or hundreds of thousands."
- Morrisons: During the course of his employment as a senior internal auditor, Andrew Skelton had access to considerable personal data, for the purposes of completing an auditing task. Acting on a grudge stemming from employment action, he posted payroll data of almost 100,000 Morrisons' employees on the internet, then notified the press of his actions. Morrisons acted quickly by removing the data from the internet, investigating the incident thoroughly and alerting the police.
- Barclays: Litigation was brought by 126 claimants against Barclays Bank for sexual assaults committed by a self-employed doctor during medical examinations carried out as part of the claimants' employment with Barclays. Barclays relied on the defence that it had no contract of employment with the doctor that could give rise to vicarious liability and he was acting as an independent contractor.
Sources: Lockton and Clyde & Co
Liz Booth is contributing editor of The Journal