In our December 2017 newsletter, we reported on the High Court decision in Various Claimants v Morrisons that ruled that an employer can be vicariously liable for an employee's misuse of private information, notwithstanding that the employer had taken appropriate measures to prevent a data breach and the employee had deliberately misused the data with the intention of causing damage to the employer. Morrisons were held vicariously liable for the leak of personal details (including financial information) of almost 100,000 of its members of staff by an ex-employee.
This decision, described by the judge as having "the possibility of eye-watering liability" for employers, will likely influence cyber and data protection minds for some time, not least because Morrisons have appealed to the Court of Appeal and this is expected to be heard in October 2018.
In the meantime, the High Court's decision on the parties' costs was handed down in May 2018 to much less fanfare. Although the claimants were successful in their claim that Morrisons was vicariously liable for its employee's misuse of private data, the claimants were only able to recover 40% of their costs because they failed in their claim on direct liability.
The Claimants argued that the general costs rule should apply and, as the overall successful party, they should recover their costs in full.
Conversely, Morrisons argued that the majority of the claimants' pleadings, arguments and time at trial had centred on the direct liability argument – an issue on which the claimants lost. Indeed, more than three pages in the Particulars of Claim dealt with direct liability compared to only three lines on vicarious liability, and 13 of the 14 issues at trial concerned direct liability.
Langstaff J emphasised that an award of costs is discretionary and that the trial judge is uniquely placed to form a view on the percentage of costs the winning party should recover because of his knowledge of the trial.
The Claimants had pursued liability under both direct and vicarious liability. Langstaff J determined that the direct and vicarious liability issues were not entirely distinct and there was indeed a sufficient degree of overlap between the two issues for there to be common costs. He also, however, accepted that a balance needed to be struck between the costs the losing party is required to pay and the issues on which it succeeded. While the Claimants had won overall, Langstaff J concluded that the claims for direct liability were "tenuous" and "The Defendant should not in justice be required to pay for this, but rather be made subject to a costs order which reflects the fact that it succeeded in resisting those claims." He concluded that Morrisons should only pay the claimants 40% of their costs of the action.
While the decision may not break any new legal ground, given that legal costs will likely be the area of greatest exposure for liability and cyber insurers, it is comforting that the judge emphasised that claimants must plead arguments in a proportionate and focussed way and those that indulge in tenuous arguments risk a significant reduction in their costs recovery. In the realm of data protection and privacy litigation, where the landscape is currently undergoing significant change and new law is being crafted month on month, such a reminder is timely.