The ruling stems from a case that signals a growing trend toward group action litigation involving data protection, and poses new risks for companies who should respond with increased vigilance in employee recruitment, training, and monitoring.
On 1 December, the UK High Court held in Various Claimants v. WM Morrisons Supermarket PLC for the first time that a company could be vicariously liable for an employee’s misuse of data. The case is also the first example of class action litigation in the data protection arena in the United Kingdom, potentially marking a new risk for companies at a time when the spotlight is on data protection obligations with the forthcoming General Data Protection Regulation (GDPR) in force on 25 May 2018.
Andrew Skeleton, a disgruntled Morrisons employee, took the personal information of around 100,000 colleagues and published it on the internet in 2014. Skeleton was a senior IT auditor and had been involved in a project involving payroll data. He was subsequently convicted of offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (DPA). There was no substantive allegation that Morrisons had breached its obligations as the data controller to protect this personal data.
The claimants in the current case were a group of more than 5,500 Morrisons employees affected by the data leak. They sought compensation from Morrisons for breach of the DPA, as well as common law claims for the tort of misuse of private information and an equitable claim for breach of confidence. The claimants alleged both a direct breach of the DPA by Morrisons for failing to protect their data and that Morrisons was vicariously liable for the actions of Skeleton.
The High Court rejected the direct breach claim since Morrisons was not the “data controller” (as defined in the DPA) at the relevant time with respect to the data. The Court also found that Morrisons had in place proper control mechanisms to protect employees’ personal data. This is an important finding as it means that employers can still be liable vicariously even though they had correct policies and procedures in place to train employees and protect personal data because of the actions of rogue employees.
The High Court, however, found in favour of the claimants with respect to the vicarious liability claim. The High Court held that the DPA does not exclude the possibility of vicarious liability and that an employer can be vicariously liable for the actions of employees in relation to data breaches. In the current case, the High Court held that there was a sufficient connection between Skeleton’s employment and the wrongful conduct to hold Morrisons liable. The High Court found that “there was an unbroken thread that linked his work to the disclosure: what happened was a seamless and continuous sequence of events” even though the disclosure itself did not occur on a company computer or during working hours.
What does it mean for companies and employers?
The decision is significant for all organisations who handle personal data. It demonstrates that even where a company has done everything it reasonably can to prevent employees from misusing personal data, and is not directly involved, it may nevertheless be vicariously liable for the actions of those employees. The judgment also illustrates the broad approach given to the “close connection” between employers and their employees test. Employers should therefore be alert to potential liabilities in this area and review employee monitoring practices as well as recruitment and training measures.
It is also the first case of a group action being brought against an employer in relation to data protection under the English Civil Procedure Rules. Such actions are common in the US and this case potentially indicates a greater trend in the English legal system where there is a common interest among the claimants or where multiple claims can be conveniently disposed of in the same proceedings.
Morrisons has indicated that it intends to appeal. Given the importance and sensitivity of the case, the Court has already granted permission to appeal.
This holding comes as the spotlight is already on data privacy issues in the United Kingdom. The new GDPR can give rise to significant liabilities of up to the higher of 4% of global turnover or €20 million ($23.5 million) for data breaches. It remains to be seen how the data protection authorities and/or courts will apply this vicarious liability approach to such stringent fines.