The Supreme Court in England has two issues to consider in the appeal which opens today. First, should the company be held to be vicariously liable for the acts of its employee in this case? It concerns, after all, a rogue employee, who took payroll data with which he was entrusted home on a USB stick and uploaded it onto a file sharing website. The company was a victim; the employee motivated by a grudge against it. He was convicted of crimes and sentenced to 8 years imprisonment. If the answer to this question is yes, business says it places a huge burden on it, at a time when the cyber incident insurance market is still developing. What are the consequences in practice for how business should monitor and carry out surveillance of employees? Should employers never let employees handle special types of personal data alone? Should employers monitor employees’ laptops routinely, or only if they suspect misuse of personal data?
The second issue is the extent to which data protection law “owns” the field in terms of remedies. Can claimants rely on other causes of action in data breach cases? Does the Data Protection Act 1998 prevent the application of vicarious liability to a breach of the Act? Does it exclude the application of the tort of misuse of private information or the equitable doctrine of breach of confidence to breaches of that Act?
If the claim against Morrisons is ultimately successful, there will be a further hearing to consider the quantum of damages, and the all-important question of what damages should be awarded for the distress associated with a data breach where there is no other tangible loss.
Andrew Moir, head of Herbert Smith Freehills’ global cyber security practice commented: “If the Court of Appeal’s decision stands it will likely pave the way for future data breach related class actions – even if the individual quantum is modest, the numbers of individuals affected by data breaches is often significant enough to make such claims viable”.
The judges hearing the case are: Lady Hale, Lord Reed, Lord Kerr, Lord Hodge, Lord Lloyd-Jones.
Kate Macmillan, a consultant in our cyber security team, is attending the Supreme Court today and will be reporting live on the submissions. You can follow her here.
Cyber-attacks are a continuous threat to both businesses and charities. From the Cyber Security Breaches Survey 2019 (available here as a PDF), we can see that fewer businesses are identifying breaches than in previous years, but the ones that are identifying breaches are typically experiencing more of them. Approximately 32% of businesses and 22% of charities report having cyber security breaches/attacks in the last 12 months. The most common type of cyber security breaches reported are: Continue reading
You don’t expect to see Prince Harry and the GDPR in the same sentence, but it was reported this week that the Duke of Sussex has settled High Court claims against the paparazzi agency Splash News (Splash), in a case which was based partly on breaches of the GDPR. Continue reading
On 15 April 2019, the Supreme Court granted supermarket chain Morrisons permission to appeal against the Court of Appeal ruling that it was vicariously liable for its employee’s misuse of data in the first successful UK class action for a data breach.
Permission was granted on all grounds of appeal and the Supreme Court will principally consider:
- whether the common law doctrine of vicarious liability is excluded in cases that engage the data protection legislation (i.e. where the primary tortfeasor’s actions amounted to a breach by the tortfeasor of his or her own obligations under the data protection legislation);
- if the doctrine is excluded in respect of claims brought by reference to the data protection legislation, whether it is equally excluded in respect of any related common law or equitable causes of action; and
- if the doctrine is not excluded, whether the Court of Appeal in any event erred when it decided to uphold the conclusion that Morrisons was vicariously liable in the circumstances of the case.
This latest twist in the Morrisons tale follows the Court of Appeal dismissing an appeal against the High Court’s decision that Morrisons was vicariously liable for its employee’s misuse of data in October 2018, despite: (i) Morrisons having done as much as it reasonably could to prevent the misuse; and (ii) the employee’s intention being to cause reputational or financial damage to Morrisons itself: Wm Morrisons Supermarkets Plc v Various Claimants  EWCA Civ 2339.
- here for our previous article on the Court of Appeal’s judgement and here for the Court of Appeal’s full judgement
- here for our summary of the High Court decision.
Last week, it was announced that during December 2018 almost one thousand German public figures, including journalists and a number of prominent politicians including the Chancellor and President, were the subject of one of Germany’s largest data breaches. The leaked data included contacts, private chats, credit card details and other financial details of figures from many of the major German political parties. The German interior ministry have since stated that there is no evidence that government systems or data have been compromised in the cyberattack. Continue reading
The fine was the consequence of a cyber security breach in October 2015, which led to the theft of personal data of almost 157,000 customers, including the bank account number and sort code details of nearly 16,000 customers.