Morrisons data-liability ruling raises questions for companies, insurers, regulators
30 November 2018. By Vesela Gladicheva.
UK businesses handling personal data have a lot to be nervous about these days — and so do their insurers.
Tomorrow marks the anniversary of when the nerves set in, with a High Court ruling on Dec. 1 last year that supermarket Wm Morrison bore secondary liability for a massive leak of confidential payroll data by a rogue employee who sought to harm the company.
The landmark ruling exposes Morrisons — and any companies suffering a similar fate — to unpredictably large compensation claims from data-leak victims, reputational damage and the risk of hefty fines from regulators for infringements under strict new EU data-privacy rules.
Any observers amazed by the ruling and expecting it to be overturned after Morrisons appealed were disappointed last month, when the Court of Appeal backed the finding that the grocer had “vicarious liability” for the 2014 data leak by senior internal auditor Andrew Skelton.
Big companies in the UK are voicing their fears. Yesterday, telecom incumbent BT told a forum in London it was paying more attention to insider threats following the rulings.
BT's ongoing structural separation from network subsidiary Openreach could have an impact on some employees, said Helen Proctor, the company’s legal director for data and security. "[One of] those unhappy people could turn into a disgruntled employee who could trigger a data breach," she warned, and BT had to be sure it was "monitoring people in key organizational roles."
Some companies will now look to regulators, such as the UK Information Commissioner's Office, for legal certainty about what they need to do to avoid vicarious liability and damages claims in similar future cases.
The appeal judges had another answer: Insurance.
"The solution is to insure against such catastrophes; and employees can likewise insure against losses caused by dishonest or malicious employees," the Court of Appeal said in its ruling last month. "The availability of insurance is a valid answer to the Doomsday or Armageddon arguments" that Morrisons had made during the trial, the judges said.
The supermarket is now appealing to the Supreme Court. If it fails there, the reality could be dramatically increased premiums for employers’ liability insurance, policy exclusions to improve business processes, or overcompliance by companies at the expense of customer experience.
The Morisons case is the first collective claim for compensation over a data leak in the UK, and involves 5,500 current or former workers suing the chain. If Morrisons fails to convince the UK’s top court, the next stage will be a hearing to determine the amount of compensation awarded.
That will be key to shaping the real impact of the case. Will it result in a payout just to those participating in the lawsuit, or will it extend to the 100,000 employees whose payroll data Skelton published online?
Underwriters are nervous about the fact that the leak didn't lead to any financial loss and that any compensation would be awarded for distress and upset only.
Insurers, then, might revisit the type of cover they provide and the sort of risk that should be excluded to limit their exposure to paying out for distress claims. They could also provide cover with an additional premium.
Their quandary is that Morrisons' due-diligence procedures, data systems and controls were in order, and it's unclear what an insurer could do to investigate a company’s possible future vulnerabilities. Moreover, the ICO didn't fine the supermarket chain for privacy-law breaches.
It's also possible that the judgment will lead the insurance industry to step in and act as a driver of better corporate governance and control systems as a way to contain the cost of claims. They can educate their clients on managing their risks and make insurance conditional on organizations meeting high standards.
But this all depends on insurers having regulatory clarity, which will require a dialogue with the ICO about what the judgment means. That will help companies and their insurers get a sense of what Morrisons could have done to convince judges it didn’t share any liability, while accepting that it would be impossible to pin that down completely. It’s the preferred route for insurers.
The ICO has said it would consider Morrisons' case and the courts' findings once the procedure is over.
A lack of regulatory advice and interpretation could result in companies over-reacting and taking extreme measures to manage the risk. There will then be a need for new laws that provide clarity.
Companies might also decide to restrict employees' access to data. But there’s only so far they can go in a world where businesses increasingly rely on data to improve customer experience and provide new services. Employees with access to data need a degree of autonomy to make decisions.
So the nerves are justified. Companies might just need to accept that they are exposed to the risk of vicarious liability, knowing they can’t entirely eliminate the risk. But as for how best to mitigate the risk and minimize the cost, the debate has hardly gotten under way.