December 5, 2017

Vicarious liability for data breach by rogue employee

In the first group litigation of its kind, Morrisons Supermarkets was found to be vicariously liable for the actions of a rogue employee who, driven by a grudge against the supermarket chain, took payroll data relating to 100,000 employees and published it online.   This was despite the fact that Morrisons was found to be entirely innocent of any misuse, that the employee had acted deliberately to harm his employer, had been convicted and imprisoned for his actions and that disclosure of the data had been done at home, on a Sunday outside office hours.  In principle, the decision could mean that Morrisons will be liable to compensate all 5,500 employees involved in the claim.  Permission has already been given for Morrisons to appeal the decision to the Court of Appeal.

In January 2014, a file containing personal details of nearly 100,000 Morrisons' employees was secretly and unlawfully posted on a file sharing website by Andrew Skelton (S), an internal auditor.  S had been provided with this data as part of Morrisons' annual statutory audit process; he was one of a limited number of employees who had been permitted access to all of the data which was held in a secure internal environment created by proprietary software.  Earlier in November 2013, S had secretly copied the data from his encrypted work laptop onto a personal USB.

Later in March 2014, S anonymously sent a CD containing a copy of the data to three newspapers, with a message that the person supplying the information had "worryingly discovered" that the payroll data was available on the web.  A criminal investigation and trial ensued where it emerged that S's action had been borne out of a grudge he had against Morissons following a disciplinary process against him earlier in 2013 where S felt he had been unjustly treated.  S was convicted in relation to his criminal misuse of the payroll data and was sentenced to eight years in prison.  The length of the sentence was partly because of the serious damage his actions had caused to Morrisons.

Immediately after Morrisons discovered the breach, it took action to take the website down and to protect the data and any financial loss which might result from the disclosures.    Despite this, 5,500 employees brought a claim on the basis that Morrisons was directly liable for S's act of disclosing the data or, alternatively, it was vicariously liable for S's actions. 

Morrisons not directly liable for the disclosure

Dismissing the claim for direct liability for misuse or disclosure of the data, the Court concluded that Morrisons could not reasonably have known that S posed a threat to the employee database, and that the protections it had in place were either sufficient or could not have prevented the disclosures.

Vicarious liability

The Court then turned to vicarious liability and concluded that there was sufficient connection between the position in which S was employed and his wrongful conduct. In coming to this conclusion, the Court said that the question is not whether M did anything wrong, but whether, when S did, his acts were closely connected with his employment.

The following key points arise from the judgment:   

  • The Court found there was such a close connection between S's acts and his employment because the disclosure was closely related to what S was tasked to do: his role was to handle the payroll data, receive it, store it for a while, transfer to others and to delete it.By employing S, to carry out the activity, M created the risk of the wrongdoing being committed. When S received the data, he was acting as an employee despite the fact he was covertly intending to copy it when he received it; the fact that the disclosures were made from home on a Sunday did not disengage them from his employment.
  • It didn't matter that M derived no benefit from the wrongdoing. In fact, past cases show that vicarious liability has been established in many instances where an employee's actions have done serious damage to their employer's business reputation.
  • The issue is not so much at whom the conduct was aimed, but rather upon whose shoulders it is just for the loss to fall.Morissons are more likely to have the means to compensate the victim than S and can be expected to be insured.

What this decision means for employers and data controllers

This case has significant implications for all data controllers who use employees or agents to process data. Where individuals can access data, there will always be a risk that data might be mis-processed or even disclosed without authority. The harm caused to an employer from this type of data breach could be substantial, ranging from reputational damage to possible losses suffered by individual employees from identity fraud. Assuming the judgment still stands, and despite the fact Morrisons may have been able to mitigate the Claimants' loss by acting quickly after the breach was discovered, any compensation could include damages for distress even if there is no direct financial loss suffered.  A recent claim against the Home Office by individuals whose personal data was disclosed when a spreadsheet was accidentally uploaded illustrates how damages payable for distress are available for data protection breaches (TLT & others v Secretary of State for the Home Department and the Home Office [2016] EWHC 2217). 

Data controllers can take precautions to prevent breaches by ensuring the most appropriate and best systems are in place. In this case, Morrisons had taken precautions by limiting access to a few trusted employees, carrying out internal checks to see which of those few authorised "super-users" had access to the data. However, this was not enough to avoid vicarious liability for the actions of an employee who deliberately and criminally disclosed data in order to harm their employer. 

This decision only determined Morrison's liability towards the Claimant employees for the data breach.  There will have to be another hearing to decide compensation. In the meantime, it seems likely that the decision will be appealed, particularly in view of the Court's concern that by deciding against Morrisons the Court might inadvertently have become an accessory to furthering S's criminal aims of harming his employer.

Various Claimants v WM Morrisons Supermarket PLC [2017] EWHC3113 (QB) - click here to read the judgment