October 26, 2018

Court of Appeal confirms supermarket vicariously liable for data breach by rogue employee

An alarming decision handed down by the Court of Appeal this week against supermarket Morrison is certain to hurry employers to their insurance brokers to protect themselves against data breach.  Confirming the High Court's earlier decision (which we reported on in 2017) the Court of Appeal found that Morrison was vicariously liable for the actions of a rogue employee who, driven by a grudge against the supermarket chain, took payroll data relating to 100,000 employees and published it online.

The facts are fairly well known given the media attention, but here's a brief summary.  

Andrew Skelton (S), an internal auditor and employee of Morrison had been provided with the personal data of 100,000 Morrison employees as part of Morrison's annual statutory audit process; he was one of a limited number of employees who had been permitted access to all of the data which was held in a secure internal environment created by proprietary software.  S had secretly copied the data from his encrypted work laptop onto a personal USB and then published it on a file sharing website.  He then anonymously sent the data on a CD to three newspapers with a message that the person supplying the information had "worryingly discovered" that the payroll data was available on the web.  A criminal investigation and trial ensued where it emerged that S's action had been borne out of a grudge he had against Morrison following a disciplinary process against him earlier in 2013 where S felt he had been unjustly treated.  S was convicted in relation to his criminal misuse of the payroll data and was sentenced to eight years in prison.  The length of the sentence was partly because of the serious damage his actions had caused to Morrison.

Immediately after Morrison discovered the breach, it took action to take the website down and to protect the data and any financial loss which might result from the disclosures.    Despite this, 5,500 employees brought a claim on the basis that Morrison was directly liable for S's act of disclosing the data or, alternatively, it was vicariously liable for S's actions.  The claims were heard by the High Court in 2017 in the first group litigation of its kind.

So why was Morrison liable, when it was found to be entirely innocent of any misuse of private information, and (except in one inconsequential respect) its data security measures were adequate?

The Court of Appeal's reasoning is based on principle of vicarious liability and how that interacted with an employer's duties under the Data Protection Act 1998 (DPA)*.

What is vicarious liability?

At common law, an employer will be liable for the wrongful actions of its employees where (1) the employee's actions fall within the "field of activities" entrusted to them and (2) there is a sufficient connection between those wrongs and the employee's employment such that it would be fair to hold the employer vicariously liable.  The Court of Appeal said that the High Court had plainly been correct to conclude that S was deliberately entrusted with the payroll data, and when S sent the data to the media and published it online, this was within the "field of activities" assigned to him.

Can you  escape vicarious liability even if you've complied with the DPA?

The DPA puts employers under a duty to have in place "appropriate technical and organisational measures" to protect personal data.   Where a data breach occurs, the individuals whose personal data is disclosed have potential claims under common law for breach of confidence and misuse of personal information (and can claim compensation for loss suffered, including distress). Morrison argued that although the DPA doesn't do away with those common law rights, it had complied with all of its duties under the DPA and done all it could to protect the data, so it shouldn't have to be vicariously liable for its rogue employee's actions.  The Court of Appeal disagreed, ruling that because the DPA does not oust an individual's claim for breach of confidence and misuse of personal information, nor does it contain any provision to address a situation where an employee data controller breaches the DPA, this leads inevitably to the conclusion that the High Court was correct to hold that the DPA did not exclude the remedy of vicarious liability.  

What this decision means for employers

Data breaches are becoming common place and perhaps inevitable. The case sends a clear message to business: unless and until this decision is reversed, insure against data breach since even though you may have done everything you reasonably can to secure the personal data you hold, you may still be liable for breaches caused by rogue employees.  This may not be the end of the matter, however, as Morrison has indicated their intention to appeal to the Supreme Court.

WM Morrison Supermarkets PLC v Various Claimants [2018] EWCA Civ 2339 - click here to read the judgement     

*the case was decided under the DPA 1998. This has now been replaced by the GDPR and the Data Protection Act 2018 but the same principles apply .