Back in December 2017, WM Morrison Supermarkets Plc was found to be vicariously liable for a major data breach committed by one of its employees. The decision was appealed which was subsequently dismissed in October 2018. The Lord Justices’ comments in the appeal notice make for interesting reading, particularly from an insurance perspective! For most business owners, vicarious liability is a constant risk. Fortunately it’s an insurable risk.
What Happened ?
The details, (including bank, salary, date of birth and national insurance data), of just under 100,000 Morrison employees, was copied on to a USB stick by Andrew Skelton, a former senior IT Auditor at the organisation. The data was later posted to a file sharing website and made public. Local media outlets became aware of the breach. Morrison proceeded to take appropriate systematic and legal action. The offence earned Mr Skelton an 8 year jail term. However, the small matter of data protection hadn’t gone unnoticed by a significant number of employees, who jointly alleged liability on their employer’s part for a breach of confidence and misuse of private information. Morrison were found to be vicariously liable for the data breach. In October 2018, Morrison’s appeal was dismissed. Next stop, Supreme court.
Now, we’re not legal eagles, and it’s not the intention of this blog to delve down into the in’s and out’s of the legal details, (but if you’re interested, speak with our friends at Sheridans, who kindly brought the Lord Justice’s comments to our attention)* but part of the defence’s argument in this case was that many of these large data breaches may lead to claims for “potentially ruinous amounts”, leading to a “Doomsday” outlook for the organisations concerned. Point of note to the defence, Vicarious Liability Insurance exists!
Vicarious Liability Insurance – Prepare for Doomsday!
It is interesting to read in paragraph 78 of the case notes of Various Claimants v WM Morrison Supermarkets PLC (A2/2018/0090) that Lord Justice Bean and Lord Justice Flaux highlight the general requirement for liability insurance. A full quote of paragraph 78 reads as follows:
“There have been many instances reported in the media in recent years of data breaches on a massive scale caused by either corporate system failures or negligence by individuals acting in the course of their employment. These might, depending on the facts, lead to a large number of claims against the relevant company for potentially ruinous amounts. The solution is to insure against such catastrophes; and employers can likewise insure against losses caused by dishonest or malicious employees. We have not been told what the insurance position is in the present case, and of course it cannot affect the result. The fact of a defendant being insured is not a reason for imposing liability, but the availability of insurance is a valid answer to the Doomsday or Armageddon arguments put forward by Ms Proops on behalf of Morrisons.”
As stated by the Lord Justices, the solution to the risk posed by a serious data breach is to insure against it.
Vicarious Liability Insurance – What You Need to Know and What You Can Do
If an organisation is found to be vicariously liable, then they are financially and legally responsible for the actions, omissions or wrong doing of their employees, contractors or agents in the course of employment or other work related duty. The underlying concept of vicarious liability is founded on the principle that the employer has facilitated or otherwise contributed to its employee’s actions. It’s also important to note that an employer may also be liable even if the employee is no longer in employment.
As well as data privacy an employer could be vicariously liable for:
- Injury or Accident
- Bullying and Harassment
- Third party actions (client’s, suppliers etc)
- Breach of Copyright
- Vehicle Owner and Permissive User
In terms of protecting your organisation against any such claims it really comes down to your policies and training. Are they up to date? Have they been communicated effectively, has everyone received training and undergone regular assessments? If you are able to demonstrate you have taken all reasonable precautions and are actively committed to protecting the interests of the company and employees a like, the organisation will be less likely to be found vicariously liable for the actions of another person.
A Special Note – Recruitment and Vicarious Liability
Vicarious Liability is particularly pertinent within the recruitment sector. Liabilities for the negligent acts of supplied temporary personnel in the course of their employment, are a by-product of signing up to non-standard contractual terms, that transfer the responsibility and control of the temporary workers back to the recruitment agency, effectively holding the recruitment agency contractually liable for their agent’s actions. Adam, our recruitment insurance specialist, has previously written a blog on the subject of understanding contractual liability and vicarious liability exposure.
Adam cites an example of how recruitment agencies may have increased exposure to vicarious liability:
A recruitment agency supplied a construction project manager to a London local authority, who over the course of two years was accused of approving 17 false projects and defrauding the council out of a staggering £2.8m. The council argued they were not supervising nor employing the worker, and that the recruitment agency is responsible for the actions of the workers they supply and are suing the agency for their loss.
If you have any questions about your vicarious liability exposures, please call the Macbeth team on 0118 916 5480.
*Sheridans, based in London, is a leading media technology law firm with a dedicated Data Privacy & Cybersecurity Team. Philip James, one of the leading protagonists on EU data, privacy and media law, has been following the Morrison’s case and brought our attention to the inclusion of the subject of insurance within the case notes.