In Europe, the UK is ahead of the curve when it comes to data breach litigation. The recent UK Supreme Court judgment in Morrisons clarified that the doctrine of vicarious liability does not mean that employers are liable for data breaches resulting from the unauthorised acts of their employees that are outside the course of their employment and are not closely connected to authorised employment activities. This sensible judgment is good news, but the overall trend towards mass compensation claims in the aftermath of serious breaches continues alongside the trend of regulatory investigation and enforcement action. Claims can be brought for direct liability for failures to comply with the GDPR and the UK Data Protection Act 2018 and vicarious liability for acts or omissions of employees in the ordinary course of their employment (such as errors and omissions). There is no way to eradicate the insider threat, but employers can take steps to mitigate the risk of breaches occurring (and possibly the quantum of any regulatory fines and damages awarded by courts). See the Cybersecurity Law Report piece below for the views of experts from leading firms and also the Dentons deep dive on the judgment at https://www.dentons.com/en/insights/articles/2020/april/7/uk-supreme-court-judgment-on-morrisons-good-news-for-employers
Employers can rest a little easier after the U.K. Supreme Court’s unanimous April 1 decision overturning a Court of Appeal’s 2018 finding that Morrisons, a U.K. supermarket chain, was vicariously liable for the data breach committed by a rogue employee. The 2018 appellate decision had shocked many practitioners because of its broad interpretation of vicarious liability. The Cybersecurity Law Report spoke with Bird & Bird partner Ruth Boardman, Cooley partner Mark Deem and Dentons partner Antonis Patrikios about the significance and implications of the decision. This was “certainly a sensible judgement,” which was “good news for employers,” and a result “that many in the economy (including insurers) were hoping for,” Patrikios said. See “U.K. Employers on the Hook for Rogue Employee Data Leaks Post-Morrisons” (Feb. 27, 2019).