You would have thought it would be a good idea to have a complete answer to a data breach claim. Not so.That was the surprising (to some) outcome of a recent Court of Appeal decision claim in a case involving a well-known UK supermarket chain. The implications of this case for all companies and for the boards which preside over them should not be ignored.
The facts are stark. One of the supermarket’s senior employees deliberately copied the personal data of nearly 100,000 employees onto a personal USB stick.Some months later, he posted all of this personal data on a file sharing website. The supermarket was alerted and the website was taken down. The ex-employee was later prosecuted and jailed for 8 years under the Computer Misuse Act 1990 and the Data Protection Act 1998. Some 5,500 of the affected employees litigated against the supermarket in the English High Court, alleging against both primary and vicarious liability for: (i) misuse of private information; (ii) breach of confidence;and, (iii) breach of the Data Protection Act, as it relates to an era before the introduction of GDPR.
Primary and vicarious liability
The Court is in charge of the primary responsibility of the company, but it has not had any breach of the principle of protection. The direct claim against it for misuse of private information and breach of confidentiality also failed. By contrast, the Court found the company vicariously liable for all of the criminal actions of its former employee. It was on this limb of the High Court’s decision that the supermarket appealed.
One of the principal grounds of appeal has been that it may be used in the past.The Court of Appeal found that it was specifically entrusted to payroll data, there was a sufficient connection between its authorized tasks and the wrongful acts perpetrated by him. It held that there was an unbroken thread that linked its work to the disclosure: what happened was a seamless and continuous sequence of events.
Public policy considerations
The Court of Appeal specifically rejected the proposition that the courts of the United States are liable to a disproportionate burden on supposedly “innocent” employers. It said:
There have been many instances in the media in recent years of data breaches on a massive scale. These might, depending on the facts, lead to a large number of claims against the falling company for potentially ruinous amounts. The solution is to insure against such catastrophes; and employers can likewise insure against losses caused by dishonest or malicious employees. We have not been told what the insurance position is in the present case, and of course it cannot affect the result. The fact of a defendant being insured is not a reason for imposing liability, but the availability of insurance is a valid answer to the Doomsday or Armageddon arguments put forward…
Failure to insure
The obvious public policy consideration behind the doctrine of vicarious liability is to provide a means of compensating innocent victims of corporate activity in circumstances where the company’s employees responsible for the relevant conduct do not have sufficiently deep pockets. It is interesting that the Court of Appeal’s answer to the countervailing policy consideration that “innocent” companies will be unfairly punished by the application of the principle is, in large part, the assumed availability of adequate and relevant insurance. In principle, both the losses which the supermarket chain suffered and those in respect of which it was being sued are probably insurable under a cyber policy. The question as to the availability and cost of such insurance is more open.
How long will we have to wait before we see an inventive claimants’ lawyer making the case, based on the Court of Appeal’s conclusion, that the negligent failure by a company’s board to take out adequate insurance to protect a company from this form of no fault liability has caused it damage?