The High Court has recently decided that Morrisons Supermarket was vicariously liable for the deliberate data breach of a former employee, even though the breach in question was motivated by the employee’s desire to cause damage to his employer? What lessons can be taken from this seemingly “harsh” decision?
Mr Skelton, worked as an Senior IT internal auditor for Morrisons Supermarket PLC (the “Employer”). In 2013, he was given a verbal warning for the role he played in the temporary shutdown of his Employer’s post room. This sanction seemingly triggered Mr Skelton to embark upon a series of actions designed wholly to damage the Employer.
These actions culminated with Mr Skelton committing a serious personal data breach by posting a file containing the personal details of almost 100,000 of the Employer’s employees on a file sharing website. Mr Skelton also sent a CD containing the same information to a local newspaper.
Mr Skelton’s culpability was not the focus of this case – this had already been proven. Instead, the current case was brought against the Employer, by approximately five thousand of the employees whose personal data Mr Skelton disclosed (the “Claimants”). In relation to each of the claims brought by the Claimants, the High Court (the “Court”) was asked to assess if the Employer was both directly and vicariously liable for the data breach.
The case is particularly significant because it is the first claim to be brought in the UK as a group action in relation to breach of the Data Protection Act 1998 (the “DPA”).
The Court held that the Employer was not directly liable for any breach. At the time the personal data breach took place, the Employer was not controlling the purpose for which the data was (mis)used. The misuse was that of Mr Skelton alone and as such it was he and not the Employer that was primarily in breach of the principles set out in the DPA.
In relation to vicarious liability, it is well established that an employer can be liable for the acts of its employees. However, this only applies where an employee is acting in the course of his employment. The Court therefore needed to determine if Mr Skelton was acting in the course of his employment.
Morrisons submitted a number of credible arguments in its defence of this point, including that; the disclosure of the Claimants’ personal details did not involve a work computer; the disclosure was not part of the work that Mr Skelton was required to do for the Employer; that the breach occurred on a Sunday (a non-working day for Mr Skelton); and moreover the act in question was a personal act by Mr Skelton designed specifically to harm the employer.
For their part, the Claimants submitted that there was a clear link between the work that the Employer required Mr Skelton to carry out (which legitimately gave him access to the disclosed data) and disclosure of the same. The Court, however, favoured the Claimants’ evidence and accordingly, the Employer was held vicariously liable for the data breach.
Take-away points for employers
It is likely that the Employer will exercise its right to appeal the decision on vicarious liability and as such, this case is likely to rumble on. Notwithstanding this, there are key lessons that we think employers should take from this initial judgment;
Appropriate security measures to prevent data breach.
In this case, the Court examined at length, the technical and organisation measures that the Employer had in place which could have potentially prevented Mr Skelton misusing the information to which he had access. Save for one point (that the Employer could have had in place a more robust system for ensuring that the data entrusted to Mr Skelton was deleted – see next bullet point), it was held that the systems and processes that the Employer had in place, were entirely adequate. With the impending General Data Protection Regulation (GDPR) coming into force next May, it will be even more important for employers to ensure that their data systems comply with the core data protection principles, not least the sixth principle of “integrity and confidentiality”.
Implement data retention policies and ensure they are being adhered to.
Morrisons failed to ensure that the personal data which Mr Skelton legitimately had access to, was suitably deleted after the requirement to hold the data for auditing purposes had expired. Data retention policies should be clearly explained to employees and steps should be taken to ensure that such policies are being adhered to, especially where there is a high risk to data subjects.
Disgruntled employees – Should their access to confidential information be curtailed?
In this case, the Court found that there was nothing about the original disciplinary incident which suggested that Mr Skelton could not be trusted with handling confidential information, including details about employees. However, is this always the case? In light of the judgment it is apparent that depending upon the circumstances, it may be an appropriate security measure to consider whether a disgruntled employee should continue to have the same access to confidential information. However, this must be balanced very carefully against the on-going duty of mutual trust and confidence between the parties and in particular any allegation that the employer’s actions (in limiting access to data) amounts to a breach of this duty.
Group action claims
The GDPR will make it easier for such group actions to be brought, albeit that the focus of these potential actions so far had been in the context of consumer claims. The decision against Morrisons certainly certain seems to suggest that it is likely that we will see more of these types of “class actions” in the employment arena too.