Singularis: the attribution of wrongdoing to corporate entities and the insurability of fines
The Supreme Court’s approach in Singuralis, if applied to the insurance of fines for breaches of the GDPR, could mean that some fines are insurable at law.
Summary:
In Singularis v Daiwa, the Supreme Court confirmed that context is all when asking whether an employee’s wrongdoing should be attributed to the employer (a company). The employee’s wrongdoing in relation to wrongs done to third parties is attributed to the company, making the company vicariously liable. Those same wrongs may not be attributed to the company if the company then makes claims against others in respect of damage caused to it by the employee. Where the company is not the real wrongdoer could this mean a move away from the illegality defence in the context of insuring GDPR fines?
Background
In July 2019, the Information Commissioner’s Office (ICO) stated its intention to impose an £183m on British Airways for a breach of the General Data Protection Regulation (GDPR) (see our publication here). The ICO followed the British Airways announcement by announcing a further fine of almost £100m on the Marriott Group (see our publication here). Given the size of these fines, businesses and their Insurers are understandably anxious to know: can businesses insure against fines for breaches of the GDPR?
Current law
Insurance policies often state that they provide cover for a fine to the extent that the fine is legally insurable. There is no statutory or regulatory prohibition against insuring fines for breaches of the GDPR.
The received wisdom, however, is that fines cannot be insured because of the illegality defence (ex turpi causa). The public policy argument is that a person should not be able to insure against a fine for criminal or quasi-criminal conduct, since that would defeat the deterrent and/or punitive effect of the fine.
Safeway v Twigger is the leading decision regarding the insurability of fines. This concerned a fine imposed by the Office of Fair Trading (OFT) on Safeway for anti-competitive pricing of dairy products. Safeway sought to recover from the employees whose actions had made it liable to the fine. Safeway’s claim really targeted the errant employees’ D&O insurance cover.
The Court of Appeal considered whether the illegality principle barred Safeway’s claim. It was accepted that the employees’ actions were morally culpable, but a secondary question was asked: did the illegality defence bar the action where Safeway was not the real wrongdoer but was merely vicariously liable for the employees’ actions? The Court of Appeal found that Safeway’s liability under the Competition Act 1998 was direct, rather than vicarious. It followed that the wrongdoing was Safeway’s own. Safeway’s claim was barred for illegality, and the fine was not insurable.
The Safeway decision is often cited to support the view that fines for breaches of the GDPR will not be insurable, because the illegality principle will prevent companies from obtaining an indemnity for a fine imposed to address their own wrongdoing. However, the decision has been criticised both judicially and academically. It has been pointed out that, following Safeway, a company cannot take any action against errant employees (including dismissing them) because the employees’ wrongdoing would legally be the company’s. That cannot be right.
Singularis v Daiwa
In Singularis, the company’s principal director and shareholder fraudulently transferred large sums from the company’s account; the transfer caused the insolvent liquidation of the company. The company sued the bank for negligently failing to question the director’s instructions. The bank argued that the fraud of the director should be attributed to the company, giving the bank an illegality defence. The Supreme Court rejected that defence, including on the basis that the director’s fraud was not attributable to the company for the purpose of the negligence claim against the bank.
The Supreme Court decision is the latest to suggest that a company should not be prohibited from recovering damages/an indemnity from third parties where the company was not the real wrongdoer. A company may sue, for example:
its directors who caused the company to carry out a fraud on the Revenue (Bilta v Nazir [2015] UKSC 23]);
its auditors who failed to detect that the director was carrying out a fraud on the company/its creditors (the controversial House of Lords decision in Stone & Rolls v Moore Stephens [2009] UKHL 39, which has been confined very heavily to its facts); and
its bank, who was negligent in acting on the instructions of the leading director/shareholder in obeying a request to transfer large sums of money from the company account (ie the facts of Singularis).
The employee/director’s fraud will not be attributed to the company in any of these situations, so there will be no illegality defence.
Conclusion
There has not yet been an English case deciding the specific question of whether a GDPR fine is insurable. It may though be only a short logical step from the cases cited above to the view that an insurance claim in respect of such a fine should not be barred by the illegality defence, at least where the acts in question are those of an employee, and the company is not the real wrongdoer.
The ICO can impose liability without finding fault at company level. This can happen, for example, where an employee wilfully and without authorisation breaches a company’s data handling protocol. On the one hand, the employee’s wrongs are attributed to the company for the purposes of liability to third parties (eg customers and/or Regulators). But, on the other hand, arguably no such attribution occurs in the context of the company’s claim against its insurer; the public policy principle preventing insurance of the fine does not come into play. A company could face liability where it is the victim of a malicious attack that results in a data breach, even though its systems were adequate. The company would not be the ‘real wrongdoer’ and the public policy principle would similarly not apply.
Naturally, this reasoning could not apply where the company is the real wrongdoer, for example where the wrongful acts which are the subject of the fine were decided by senior management and approved by the shareholders. Only those fines imposed on the company by the rogue acts of errant employees or third parties (eg a hacker) without the knowledge of the management or shareholders may, in the light of Singularis, be insurable.
The courts are yet to revisit the question of the insurability of fines in the light of Bilta and Singularis. Given the ICO’s appetite for imposing considerable fines, the courts may be required to do so sooner rather than later.
_11zon.jpg?crop=300,495&format=webply&auto=webp)
