Vicarious liability: Supreme Court rules in favour of Barclays and Morrisons

This is good news for businesses that transfer risk onto insurers, and good news for insurers in so much that their policies aren’t worthless…:

The COVID-19 pandemic didn’t stop the Supreme Court from handing down major decisions on vicarious liability on April 01. Here Insurance Business gives you the lowdown.

[…]

Morrisons
“The circumstances in which Skelton committed wrongs against the claimants were not such as to result in the imposition of vicarious liability upon his employer,” declared Lord Reed, referring to former senior IT auditor Andrew Skelton who in 2014 compromised the payroll information of about 100,000 Morrisons employees. “Morrisons cannot therefore be held liable for Skelton’s conduct.”

You can read more about the landmark data breach case here.

Offering insights on the case, Woods asserted: “Morrisons, or rather their insurers, could have faced a bill of at least £10 million in compensation if they had had failed in their attempt to overturn this judgment and it would have represented a disturbing extension in the law of vicarious liability.

“However, despite Morrisons winning this case, it should still serve as a wake-up call to businesses to have robust data protection policies in place to ensure, so far as possible, they are not victims of a similar breach.”

For Herbert Smith Freehills partner Greig Anderson, the ruling is good news for corporates and their insurers but he stressed that a major challenge is left unanswered.

Explaining, Anderson said: “The expectation of the courts below had been that insurance was the answer to the point that the judgment effectively helps achieve the rogue employee’s aim – namely to harm Morrisons. Insurers may therefore be breathing a sigh of relief – but only up to a point.

“Vicarious liabilities for data breaches by rogue employees are insurable in principle, but these claims are not doomsday for the insurance market. That’s because the main risk for corporates – and therefore insurers – is direct liability claims and related losses, which continue apace on an upwards trajectory.”

Anderson pointed out that while cyber insurance can be purchased to cover data breach claims, corporates’ risks transfer strategies vary and cover “cannot necessarily be banked upon” in all cases.

“The main challenge therefore remains,” he claimed, “and is not answered here: how much cover would I need to buy for a reasonable worst case, and is that available at reasonable cost on a good wording. Given that the measure of damages is still unclear, this issue will continue to be wrestled with.”

[…]

Original article here