A summary of recent developments in insurance, reinsurance and litigation law
Various Claimants v Morrisons Supermarket: Company found vicariously liable for a deliberate data protection breach by a disgruntled employee
http://www.bailii.org/cgi-bin/format.cgi?doc=/ew/cases/EWHC/QB/2017/3113.html&query=(morrisons)
In 2014, the personal details of almost 100,000 employees of Vm Morrisons Supermarket Plc ("the employer") were posted on the internet. These details included salary and bank account details, thus exposing the employees to the risk of identity theft and phishing attempts (in order to access their accounts).
An investigation eventually revealed that the information had been leaked by a senior IT auditor of the employer. It appeared that he had been motivated by a grudge against the employer, having received a formal verbal warning following an incident involving the use of the employer's postal system to send a legal drug. He was convicted under the Data Protection Act 1998 ("the DPA") and sentenced to 8 years in prison.
In the first reported decision of its kind, a class action was brought by some of the 100,000 employees against the employer, on the basis that the employer was both directly (primarily) and vicariously liable for the data breach. Langstaff J has now held as follows:
(1) Direct liability: An employer was not directly liable for a breach which it had not authorised or required. It had not been the "data controller" at the time of the relevant breaches of the DPA. A data controller is the person or company that makes decisions about how and why personal data are processed. It was the employee who became the data controller in respect of the disclosed information once he decided to put it on the internet. The obligations of the DPA relating to unauthorised disclosure are placed on the "controller" alone.
Nor was the employer liable under Data Protection Principle 7 ("DPP7"), which provides that "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data...". The mere fact of disclosure does not breach DPP7, and nor is a duty to take reasonable care imposed: "Thus, the fact that a degree of security may technologically be achievable, which has not been implemented, does not of itself amount to failure to reach an appropriate standard". A balance had to be struck and the judge advised that "In short, I would expect a higher standard to be observed as to the measures appropriate to protect data relating to 100,000 employees than I would expect in respect of a small enterprise employing 6 or 7 workers".
On the facts here, there had been no breach of DPP7 by the employer. The employer had put in place adequate and appropriate controls and there had been no indication that the employee, although upset by the recent disciplinary action, could not be trusted to do his job. Furthermore, it would have been impracticable to actively monitor internet searches by employees, and, even if the judge was wrong on that point, he held that such searches would not have prevented the data disclosure which occurred.
Accordingly, the employer was not directly liable under the DPA (or under common law or equity).
(2) Vicarious liability: The principles for establishing vicarious liability were not disputed in this case. Vicarious liability requires (1) the necessary relationship between the defendant and the wrongdoer, and (2) the necessary connection between that relationship and the wrongdoer's conduct.
The first issue to be determined here, though, was whether an employer could be held to be vicariously liable at all for breaches by its employees of the DPA.
The judge determined that it could because "A party may be held liable vicariously even for a breach of a Statute for which the party could not itself be held liable". It made no difference that the employee here had been acting as an autonomous, self-directing controller in respect of the relevant data and that the employer had fulfilled its own obligations under the DPA. The purpose of the DPA and the relevant European Directive would be defeated if "at the moment an employee decides to misuse data to which his employer has given him access the employer ceases to be under any further liability, on the basis that the employee thereafter will be data controller in respect of the misuse".
As to the facts of the particular case, the employer argued that there had been no "necessary connection" (limb (2) of the vicarious liability test) as the employee had used his own computer whilst at home on a Sunday in order to disclose the information on the internet.
That argument was rejected by the judge, who found that there had been "an unbroken thread that linked his work to the disclosure: what happened was a seamless and continuous sequence of events". Dealing with this data was a task specifically assigned to him by the employer and when he had received the relevant data he had been acting as an employee.
Accordingly, the judge found that the employer was vicariously liable for the data breach. Quantum is to be assessed at a later date.
Nevertheless, at the conclusion of his judgment he added that "the point which most troubled me in reaching these conclusions was the submission that the wrongful acts of [the employee] were deliberately aimed at the party whom the claimants seek to hold responsible, such that to reach the conclusion I have may seem to render the court an accessory in furthering his criminal aims".
Accordingly, he gave leave to the employer to appeal his conclusion as to vicarious liability.
COMMENT: This decision (if it stands following the appeal) has potentially wide-ranging implications for companies and employers following the unauthorised disclosure of data by individual employees. By its nature, and as this case demonstrates, the potential number of victims following a data breach by an employee far exceeds the ordinary number of potential victims in most cases to date involving vicarious liability. The judge rejected an argument by the employer here that "the possibility of "eye-watering liability" may impose enormous pressure on a data controller to limit the presence of human agency". He commented that the potential difficulties faced by companies can be met by appropriate insurance. Whether the insurers will wish to address this risk, though, in policy wordings going forward, remains to be seen.
Aspen Underwriting v Credit Europe Bank: Court considers jurisdiction for a Misrepresentation Act 1967 claim by insurers
http://www.bailii.org/ew/cases/EWHC/Comm/2017/3107.html
Quite apart from the duty of utmost good faith/fair presentation, insurers might possibly have a remedy for negligent misrepresentation under section 2(1) of the Misrepresentation Act 1967 (where an insured makes misrepresentations when taking out a policy). The relevance of this post the Insurance Act 2015 is that insurers might be able to claim the additional premium which they might have charged in the absence of the misrepresentation as damages under the 1967 Act (a remedy which is not expressly provided for under the Insurance Act 2015, but which insurers might wish to have if they discover a misrepresentation even though no claim has been made). In Liberty v Argo (see Weekly Update 45/11), the judge held that the insurer's claim for damages for misrepresentation was not "bad law" but suggested that the Court of Appeal should decide whether such damages should be available where the right to avoid has been lost (as it had in that case). The Court of Appeal did not need to decide the point though as the argument was not pursued by insurers. Accordingly, there do not appear to be any reported decisions to date where an insurer has in fact received damages for misrepresentation (probably because prior to the Insurance Act, an insurer would usually choose to avoid the policy instead).
The earlier decision in this case was reported in Weekly Update 28/17 (Aspen Underwriting v Kairos Shipping). The insurers seek repayment of a sum paid under a settlement agreement after discovering that the vessel which they insured had been deliberately sunk by the master, at the request of the owners. In the earlier decision, the judge accepted that the claim for damages based on misrepresentation (not under the 1967 Act) could be brought in this jurisdiction, so long as the "harmful event" occurred here. It was accepted that it did because: (a) the settlement agreement was signed here and the insurance proceeds were paid into the brokers' account in London), or (b) the misrepresentations were made in London and the insurers were induced here too.
In this case, the court was required to decide whether the English court has jurisdiction to hear a claim for damages brought under section 2(1) of the Misrepresentation Act 1967. Teare J held that it does. He held that the insurers had the better of the argument that a claim for damages under the 1967 Act is a claim relating to tort within the meaning of article 7(2) of the Regulation 1215/2012, and the harmful event took occurred in England (for the reasons given above). Although proof of a contract between the insurers and the defendant will still be needed, the claim remains one which relates to tort. However, permission to appeal on this point was given.
Brian Glasgow v ELS Law: Court holds insurers are not entitled to a lien for unpaid premium due from insolvent insured
An insolvent company obtained damages in a professional negligence claim against its solicitors. That claim had been pursued with the benefit of various insurance arrangements (including ATE insurance). The insurers sought recovery of unpaid premium but the bankruptcy trustee of the company argued that they were only unsecured creditors in respect of the proceeds.
The company had entered into a "Priorities Agreement" with (inter alia) the insurers. This had mistakenly provided that the premium would be recoverable from the solicitors (ie the losing the defendant) in the event of a judgment against the solicitors. However, ATE premium is no longer recoverable from the losing party. Accordingly, the insurers had no contractual (or statutory) right to a lien over the proceeds.
The insurers sought to argue that they were entitled to a lien because their position was analogous to that of a solicitor (who has a common law and equitable lien over the proceeds of a judgment which is obtained "by the solicitor's exertions"). That argument was rejected by the judge. He held that there is no general right to a lien merely because a party has done work or spent money which has preserved or benefitted the property of another. If a lien is to be imposed, that should be done by Parliament, and not the courts. Furthermore, the general rule is that where the parties have contracted for an unsecured right only, the court will not elevate it to a secured status by means of a lien. The terms of the Priorities Agreement had been such that insurers did not have a right of priority over the litigation proceeds.
Liverpool Victoria Insurance v Yavuz & Ors: Judge considers test for contempt of court in insurance fraud case
http://www.bailii.org/ew/cases/EWHC/QB/2017/3088.html
The insurer alleged that nine defendants who had brought claims for damages in relation to car accidents were part of a "crash for cash" conspiracy to defraud the insurer. Warby J considered the appropriate test for contempt of court proceedings. Reference was made to the earlier decision of Barnes v Seabrook (see Weekly Update 29/10), in which certain propositions were laid down. This included the proposition that "a person who makes a statement verified with a statement of truth, or a false disclosure statement, is only guilty of contempt if the statement is false and the person knew it to be so when he made it".
Warby J thought it was arguable that that proposition "may have been a little too narrowly framed". CPR r32.14 provides that contempt proceedings may be brought against a person who makes a false statement verified by a statement of truth "without an honest belief in its truth" and the judge said that "It would seem to be inherent in this wording, and consistent with principle, that the reckless individual who verifies a false statement with no care or consideration for whether it is true or false may be guilty of contempt, as well as a person who tells a deliberate lie".
The defendants has also argued that in order to establish contempt, it must be shown that the statement "interfered with the course of justice in a material respect" and that the defendant was "aware of its significance and purpose in the proceedings". The judge said that that put the matter too high: "The false statement must have a tendency to interfere with the course of justice in a material way ... but I do not think it can be right to say that a person can only be in contempt if they succeed in causing actual interference".
Finally, the threshold requirements for permission do not define what is or is not a contempt of court. The judge left open the following issue: "it does not seem to me to follow that if, after a trial, a claimant proves some significant dishonesty the Court would be debarred from finding contempt established just because the dishonesty was not as grave as that alleged at the permission stage, and would not of itself have justified the proceedings".
On the facts, the defendants were found guilty of contempt and sentenced to prison.
One further issue was also left open by the judge, although he suggested that the Civil Procedure Rules Committee might consider it: Whether contempt proceedings could be brought in respect of the claim notification forms ("CNFs") which were filed through the online claims portal and which contained statements of truth made by the defendants' solicitors but which contained false statements.
Oldham v QBE Insurance: Insurers entitled to reimbursement of defence costs where claim not covered
http://www.bailii.org/ew/cases/EWHC/Comm/2017/3045.html
The claimant notified his professional indemnity insurers of a claim against him. The insurer was obliged under clause C10.2 of the ICAEW's Minimum Terms to advance defence costs in relation to that claim "in the event of any dispute concerning liability to indemnify the insured...pending resolution of any such dispute". The insurer separately disputed cover under the policy and referred the matter to arbitration. The arbitrator held that there was no cover under the policy and the claimant was ordered to pay the arbitration costs. The claimant was given a number of extensions to respond but before expiry of the last deadline, the arbitrator found that the insurer was entitled to reimbursement of the defence costs and the claimant was ordered to make a payment on account of costs within 28 days of the award. The claimant appealed/challenged the award under sections 69 and 68 of the Arbitration Act 1996 and Popplewell J has now held as follows:
(1) The arbitrator had not erred in finding that the insurer was entitled to reimbursement of the defence costs. It would "have the effect of altering the scope of cover" to allow defence costs to be covered so long as they were incurred at a time when coverage was still in dispute. The judge rejected an argument that "pending" in clause C10.2 meant "until": "It is absurd to suppose that...[there is] no right of reimbursement to insurers if coverage were held not to exist".
(2) However, the court agreed that the claimant, a litigant in person, had been deprived of a fair opportunity to advance his arguments in relation to the award to pay the insurer's costs and to make a payment on account. That had breached the arbitrator's duty under section 33 of the 1996 Act and so these matters were remitted to the arbitrator for reconsideration.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
