Insurance Coverage Alert: Lessons to Learn about Cyber Risk - Various Claimants v Morrisons Supermarket PLC [2017] EWHC 3113 (QB)

by K&L Gates LLP

K&L Gates LLP

A recent judgment of the High Court provides a stark lesson for organisations about the need to protect themselves properly against cyber-related risks. With the introduction of the General Data Protection Regulation ("GDPR") in May 2018, effective prevention and response protocols, and - vitally - comprehensive insurance coverage is a must-have for companies of all sizes.

In Various Claimants v WM Morrisons Supermarket PLC [2017] EWHC 3113 (QB), Langstaff J found that the defendant supermarket, Morrisons, had breached its data protection obligations and was liable to pay compensation to over five thousand current and former employees. The judge held that Morrisons, in its role as a data controller, had not breached its data protection obligations. However, an employee ("Mr Skelton") had breached data protection legislation (for which he is now serving an eight-year prison sentence). Morrisons was held vicariously liable for Mr Skelton's conduct.

Mr Skelton was a Senior IT Auditor, employed by Morrisons. In 2013, he had been subject to disciplinary proceedings which resulted in him receiving a formal warning. The judge in Mr Skelton's criminal trial said this formal warning caused Mr Skelton "to harbour a very considerable grudge and harbour very considerable bad feelings towards Morrisons". Nevertheless, Mr Skelton continued to be employed by Morrisons.

In 2014, as part of his role, Mr Skelton obtained a USB stick containing a significant amount of employee payroll data, which was intended for Morrisons' auditors. He copied the payroll data and then leaked the contents online and to newspapers. He was subsequently arrested and convicted under the Computer Misuse Act 1990 and Data Protection Act 1998 ("DPA 1998").

Relevant Law
There are two key points of law relevant to this case:

  1. First, the DPA 1998 establishes a number of rights and obligations which apply to data subjects and data controllers respectively. In particular, section 4(4) sets out the Data Protection Principles ("DPPs") with which data controllers are required to comply. DPP 7 provides that data controllers must take "appropriate technical and organisational measures…against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, and damage to, personal data." Further, it is possible for a claimant to claim 'moral' or 'distress' damages from a defendant which is in breach of its obligations, even in circumstances where actual loss has not been made out.
  2. Under English employment law, an employer can be liable for the wrongful acts of its employees, if the wrongful act is sufficiently closely connected to the employee's job description. This is known as 'vicarious liability'. In this case, Mr Skelton's role as a Senior IT Auditor was held to be sufficiently closely connected to his wrongful act as to give rise to vicarious liability.  The fact that Mr Skelton was acting maliciously did not enable Morrisons to escape liability for his actions. 

In this case, the claimants whose data had been leaked brought a claim against Morrisons on several grounds including misuse of private information; breach of confidence; and breach of the DPA 1998 (on the basis of direct and/or vicarious liability). While the majority of the grounds for liability brought against Morrisons were dismissed, the judge found that Morrisons was vicariously liable for Mr Skelton's breach of the DPA 1998.

Various Claimants v Morrisons is significant because it highlights the risk that a data controller which is fully compliant with its obligations may nevertheless be liable for the wrongful acts of its current or former employees. The case is a classic example of a data breach caused by a disgruntled employee who has access to confidential data. It should be remembered that data breaches (as well as the consequential financial and reputational damage of such breaches) can be caused by a range of different external actors: criminals, terrorist groups, and even hostile foreign states or governments. It is not strictly necessary for a data breach to have been caused by an employee of the data controller for that controller to be held liable under data protection law.

While it remains impossible for an organisation to fully protect itself from all and any cyber risks, there are certain types of vulnerabilities that can be anticipated and minimised by undertaking a thorough cyber risk assessment. Companies should ensure they have effective security procedures and protocols in place.

Good practice aimed at prevention is essential. Equally companies should be prepared in case a breach does occur. Clear and effective response protocols should be in place. The type of compensation for which Morrisons was found liable as data controller, as well as the costs incurred in defending the proceedings, may be covered by insurance, if you have the appropriate cover in place. Companies should consider, as part of their risk mitigation process, what cyber-related coverage their insurance programme provides. Many traditional policy forms may not provide adequate cover and it is worth considering to what extent any potential gaps might be addressed by a dedicated cyber insurance policy. 

The Future
In May 2018, the GDPR will come into force and will replace the DPA 1998. The GDPR greatly widens the potential liability of data controllers for the loss of protected data and may well lead to an increase in claims by employees, customers, business partners and others whose personal data has been compromised. This new law makes the need for companies to have effective systems in place all the more acute.

Morrisons has been granted permission to appeal the judgment. However, even if Morrisons is successful in overturning the judgment, the case serves as a stark reminder of the financial and reputational issues at stake in the event of a data breach.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© K&L Gates LLP | Attorney Advertising

Written by:

K&L Gates LLP

K&L Gates LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.