The recent Court of Appeal ruling against Morrisons highlights the growing relevance of third party exposures for data breaches, as well as the role of cyber insurance.
In October, the Court of Appeal dismissed Morrisons’ attempt to overturn last year’s High Court decision in Morrisons Supermarkets Plc v Various Claimants. The case centred on a 2014 data breach in which the company’s then IT auditor Andrew Skelton maliciously published payroll data of more than 100,000 employees online. Some 5,000 employees then joined a class action and sued the supermarket chain for damages, winning their case in the High Court last year.
Morrisons says it now intends to appeal to the Supreme Court. However, this demonstrates that companies can face expensive class action litigation following a data breach, even when they have taken appropriate steps to reduce the risk and mitigate the effects.
The Morrisons litigation is significant for several reasons. First, Morrisons was held ‘vicariously’ liable for the breach – even though the court acknowledged that it had taken reasonable steps to prevent the breach – such as encrypting the data – and had acted quickly to retrieve the data.
The case is also notable as the UK’s first data breach class action. A number of claimant law firms are now targeting such actions – the recent British Airways, Facebook and Ticket Master data breaches have seen firms launch class actions on behalf of affected individuals. Skelton was found guilty of fraud and sentenced to eight years in prison.
The claimants are seeking damages despite there being no known financial loss for the affected employees. The ruling is just the latest to establish the right of claimants to seek damages for distress caused by a data breach, and without the need to prove financial loss to claim compensation. In addition, the EU’s General Data Protection Regulations (GDPR), as introduced in May this year, make it much easier for claimants to bring compensation claims, including the right to claim compensation for ‘non-material damage’.
The Court of Appeal also had some interesting comments around insurance. Morrisons argued that the data protection compliance burden was disproportionate and that the breach was caused by the actions of a rogue employee. However, the Court of Appeal’s response was to suggest companies consider buying insurance to protect themselves from such scenarios:
“There have been many instances reported in the media in recent years of data breaches on a massive scale caused by either corporate system failures or negligence by individuals acting in the course of their employment. These might, depending on the facts, lead to a large number of claims against the relevant company for potentially ruinous amounts. The solution is to insure against such catastrophes; and employers can likewise insure against losses caused by dishonest or malicious employees…”
Limited forms of cover for data breach liability are available in a number of insurance policies, although comprehensive cover with meaningful limits is only available within specialist cyber insurance policies, which can also include risk management and data breach response services.
However, not all cyber insurance policies are the same. Limits and the breadth of cover differ widely between insurers, especially when it comes to third party liability. Policies will need to reflect the cyber risk profile of an organisation, and may need to be tested against certain loss scenarios. For example, limits for third party liability will need to be adequate to cover a class action for a large data breach involving thousands of claimants. Vicarious liability would also need to be considered in the context of cyber insurance wordings and other insurance coverages, such as commercial crime.
With our expertise in cyber risk and access to specialist insurers in the London market, Miller can support clients through the insurance buying process. Each organisation has its own specific exposures and concerns, risk appetite and response capabilities. We offer flexible solutions that fit client requirements and align with existing coverages.
Miller’s Cyber capabilities
By working with a specialist broker and insurers, clients can rest assured that cyber insurance will offer protection in times of growing exposure from data breaches.