Morrisons’ data breach: implications of Supreme Court ruling for UK businesses

Responding to today’s Supreme Court ruling which found that Morrisons is not ‘vicariously liable’ for a large-scale data leak by a disgruntled employee, lawyers from Herbert Smith Freehills suggest that “while the judgment will be a relief to corporates, it is by no means the end of the road for data breach class actions. Boardrooms should still be examining the steps they take to plug data leaks before they happen, so as to minimise the risk of future claims.”

Commenting on the privacy implications of the Supreme Court’s decisions, Miriam Everett, partner and global head of data and privacy at Herbert Smith Freehills, says: “Today’s judgment will lead to a collective sigh of relief in Boardrooms up and down the country as this is exactly the decision that many organisations wanted. In a world where companies can already be fined up to EUR 20 million or 4% of annual worldwide turnover for GDPR non-compliance, there are real fears concerning the potential for additional significant liability under class action claims for data breaches. Many organisations will be comforted by the steps that the Court has now taken to reduce the likelihood of such claims being successful.”

“However, the decision is no guarantee that similar claims would fail in circumstances where the regulator agrees that there has been a breach of the security requirements under the GDPR, such as has been the case when you look at some of the recent big data breaches we have seen which are starting to result in significant fines from the ICO.”

Commenting on the likely proliferation of class actions despite today’s ruling, Julian Copeman, partner in Herbert Smith Freehills disputes practice, says: “Data breach class actions are on the rise in the UK and today’s judgment should be seen as a setback not a roadblock. Funders and claimant firms are looking to build class actions in relation to data breaches even where there is no specific evidence of individual damage. They are seeking damages for the whole class for "distress" or a standardised claim of loss of access to data and even a nominal damages award per claimant could lead to a significant amount over a class of tens or hundreds of thousands.  Today's judgment will not reverse that trend, but it will at least mean that companies who are themselves victims of data breaches by employees will not also face such claims on this basis alone.

Commenting on the insurance risks emanating from the judgment, Greig Anderson, partner in Herbert Smith Freehills insurance disputes group, says: "This judgment is good news for corporates and their insurers. The expectation of the courts below had been that insurance was the answer to the point that the judgment effectively helps achieve the rogue employee’s aim - namely to harm Morrisons. Insurers may therefore be breathing a sigh of relief - but only up to a point. Vicarious liabilities for data breaches by rogue employees are insurable in principle, but these claims are not doomsday for the insurance market. That's because the main risk for corporates – and therefore insurers – is direct liability claims and related losses, which continue apace on an upwards trajectory.

“The good news for concerned corporates is that they can buy cyber insurance to cover data breach claims, whether for direct or vicarious liabilities, as well related losses such as costs of managing the incident, regulatory investigations and loss of profits if systems are impacted. However, risks transfer strategies within corporates vary, and that cover cannot necessarily be banked upon in all cases. The main challenge therefore remains – and is not answered here: how much cover would I need to buy for a reasonable worst case, and is that available at reasonable cost on a good wording. Given that the measure of damages is still unclear, this issue will continue to be wrestled with."

Commenting on the financial implications of the Supreme Court ruling, Andrew Moir, global head of cyber and data security at Herbert Smith Freehills, says: “While the spectre of no fault liability presented by Morrisons has fallen away, there is still a significant risk from fault based claims – we are already seeing adverse findings from the ICO around data security literally being cut-and-paste into claim forms.  The key question for the viability of those claims will be how much a bare data breach is “worth” by way of damages, even if there’s no other loss suffered by the victim.  We will have to wait a bit longer now to find that out."

Commenting on the employment implications, Tim Leaver, partner in Herbert Smith Freehills' employment practice, says: "From an employer's perspective this decision is welcome news.  It shows that there has been a return to a more common sense interpretation of the now infamous phrase "frolic of his own", on which vicarious liability cases have predominantly focussed in the past."