Game changer for cyber/data breach cases opens in Supreme Court: WM Morrisons Supermarkets Plc v Various Claimants

The Supreme Court in England has two issues to consider in the appeal which opens today. First, should the company be held to be vicariously liable for the acts of its employee in this case? It concerns, after all, a rogue employee, who took payroll data with which he was entrusted home on a USB stick and uploaded it onto a file sharing website. The company was a victim; the employee motivated by a grudge against it. He was convicted of crimes and sentenced to 8 years imprisonment. If the answer to this question is yes, business says it places a huge burden on it, at a time when the cyber incident insurance market is still developing. What are the consequences in practice for how business should monitor and carry out surveillance of employees? Should employers never let employees handle special types of personal data alone? Should employers monitor employees’ laptops routinely, or only if they suspect misuse of personal data?

The second issue is the extent to which data protection law “owns” the field in terms of remedies. Can claimants rely on other causes of action in data breach cases? Does the Data Protection Act 1998 prevent the application of vicarious liability to a breach of the Act?  Does it exclude the application of the tort of misuse of private information or the equitable doctrine of breach of confidence to breaches of that Act?

If the claim against Morrisons is ultimately successful, there will be a further hearing to consider the quantum of damages, and the all-important question of what damages should be awarded for the distress associated with a data breach where there is no other tangible loss.

Andrew Moir, head of Herbert Smith Freehills’ global cyber security practice commented: “If the Court of Appeal’s decision stands it will likely pave the way for future data breach related class actions – even if the individual quantum is modest, the numbers of individuals affected by data breaches is often significant enough to make such claims viable”.

The judges hearing the case are: Lady Hale, Lord Reed, Lord Kerr, Lord Hodge, Lord Lloyd-Jones.

Kate Macmillan, a consultant in our cyber security team, is attending the Supreme Court today and will be reporting live on the submissions.  You can follow her here.

Andrew Moir
Andrew Moir
Partner and Global Head of Cyber Security, London
+44 20 7466 2773
Miriam Everett
Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378
Christine Young
Christine Young
Partner, London
+44 20 7466 2845
Greig Anderson
Greig Anderson
Partner, London
+44 20 7466 2229
Kate Macmillan
Kate Macmillan
Consultant, London
+44 20 7466 3737

Storming the Breaches: DCMS releases Cyber Security Breaches Survey 2019

Cyber-attacks are a continuous threat to both businesses and charities. From the Cyber Security Breaches Survey 2019 (available here as a PDF), we can see that fewer businesses are identifying breaches than in previous years, but the ones that are identifying breaches are typically experiencing more of them. Approximately 32% of businesses and 22% of charities report having cyber security breaches/attacks in the last 12 months. The most common type of cyber security breaches reported are: Continue reading

British Airways Data Breach: ICO announces potential £183 million ‘mega fine’

  • The ICO has published a notice of its intent to fine British Airways £183.39 million for its 2018 data breach where the personal data of 500,000 customers was stolen by hackers;
  • This is the first ‘mega fine’ issued by a European data regulator since the implementation of the GDPR;
  • The ICO acted as lead supervisory authority and has confirmed that it has been liaising with other EU privacy regulators;
  • No details have yet been published by the ICO regarding the specific GDPR infringements involved;
  • British Airways now has the chance to respond to the notice of intent, after which a final decision will be made by the ICO.

Continue reading

Latest twist in the Morrisons Case: Supreme Court grants Morrisons permission to appeal

On 15 April 2019, the Supreme Court granted supermarket chain Morrisons permission to appeal against the Court of Appeal ruling that it was vicariously liable for its employee’s misuse of data in the first successful UK class action for a data breach.

Permission was granted on all grounds of appeal and the Supreme Court will principally consider:

  1. whether the common law doctrine of vicarious liability is excluded in cases that engage the data protection legislation (i.e. where the primary tortfeasor’s actions amounted to a breach by the tortfeasor of his or her own obligations under the data protection legislation);
  2. if the doctrine is excluded in respect of claims brought by reference to the data protection legislation, whether it is equally excluded in respect of any related common law or equitable causes of action; and
  3. if the doctrine is not excluded, whether the Court of Appeal in any event erred when it decided to uphold the conclusion that Morrisons was vicariously liable in the circumstances of the case.

This latest twist in the Morrisons tale follows the Court of Appeal dismissing an appeal against the High Court’s decision that Morrisons was vicariously liable for its employee’s misuse of data in October 2018, despite: (i) Morrisons having done as much as it reasonably could to prevent the misuse; and (ii) the employee’s intention being to cause reputational or financial damage to Morrisons itself: Wm Morrisons Supermarkets Plc v Various Claimants [2018] EWCA Civ 2339.

Click:

  • here for our previous article on the Court of Appeal’s judgement and here for the Court of Appeal’s full judgement
  • here for our summary of the High Court decision.

Continue reading

Cyberattack on German Public Figures Leads To One of Germany’s Largest Data Breaches

Last week, it was announced that during December 2018 almost one thousand German public figures, including journalists and a number of prominent politicians including the Chancellor and President, were the subject of one of Germany’s largest data breaches. The leaked data included contacts, private chats, credit card details and other financial details of figures from many of the major German political parties. The German interior ministry have since stated that there is no evidence that government systems or data have been compromised in the cyberattack. Continue reading