The implications of a malicious data breach were considered in Various Claimants v WM Morrisons Supermarket plc.
The court considered a claim brought by several thousand Morrisons employees under a Group Litigation Order (a GLO) following the malicious publication by one employee of the personal data of almost 100,000 Morrisons employees. Allegations that Morrisons was primarily liable, having breached relevant principles of the Data Protection Act, breached confidence or misused private information by, itself, misusing data which it was controlling and by failing to have relevant systems in place to protect the data, were rejected in all but one minor and non-causative respect. This was a criminal act for which Morrisons was not responsible, and it was the rogue employee, not Morrisons, who was the data controller of the data set which was misused. Morrisons was, however, found vicariously liable for the actions of its rogue employee; viewed broadly, the breaches occurred as a result of part of his business activity. Leave to appeal was granted in respect of the vicarious liability finding.
On 13 March 2014 Morrisons’ management was alerted to the fact that a file containing the personal data (names, addresses, dates of birth, bank details and salary) of almost 100,000 employees had been posted on a file sharing website in January 2014. It emerged that the data had been deliberately copied and shared by a Morrisons employee. That rogue employee, a Mr Skelton, was duly tried and convicted of offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (DPA).
The payroll information which was made public by Mr Skelton had been held on a secure system, to which only certain employees had access. As a senior member of Morrisons’ internal IT audit department, Mr Skelton was one such employee. During the course of collating payroll information in late 2013 for onwards transmission to KPMG, Morrisons’ external auditors, Mr Skelton copied the file. He had been subject to a disciplinary procedure in the previous year, and had resigned by the time of KPMG’s request.
Several thousand of the employees whose data was published now seek compensation from Morrisons for breach of statutory duty, the tort of misuse of private information, and breach of confidence. This action, using a Group Litigation Order, is likely to be the first of many relating to data breaches by companies where the personal details of customers or employees are stolen or made public.
Morrisons’ primary liability
The DPA requires personal data only to be obtained, and then used, for specified and lawful purposes. It must be processed "fairly and lawfully". The claimants alleged that Morrisons remained the data controller during the illicit download and subsequent file-share, and, further, that when the employee used that data for criminal purposes it was being processed incompatible with the purposes for which it had been obtained.
Allegations that Morrisons had breached relevant principles of the DPA, breached confidence or misused private information by, itself, misusing data which it was controlling, failed. Langstaff J held that Morrisons was not the data controller of the data set which was misused. This was a criminal act for which Morrisons was not responsible, and Mr Skelton, not Morrisons, was the data controller for the copy set which was disclosed.
Langstaff J declined to construe the DPA as including any element of strict liability. Although the principal purpose of the EU Directive from which the DPA derives (95/46/EC) is to protect the rights of data subjects, that does not mean it contemplates absolute liability by a data controller, such that a data controller will automatically be liable for disclosures by a third party.
DPP7 of the DPA, however, requires a data controller to ensure that “appropriate” measures are taken to secure data, subject to technological development and cost. There was no question that Morrisons was the relevant data controller of the original data, and allegations that this principle had been breached required detailed factual evidence from Morisons as to its systems and controls. Langstaff J equated the “appropriate measures” requirement to the familiar duty to take “reasonable care”, which involves balancing the magnitude of the relevant risk with the availability and cost of measures to prevent it from materialising.
Evidence was given that only 22 “super users” had access to the secure system which held the payroll data, that memory sticks and laptops used by that team were all encrypted, and that their use of the secure data could be tracked. Langstaff J was satisfied that overall, the controls which Morrisons had in place were adequate and appropriate. There was more of question mark, however, over whether, in the circumstances, additional precautions should have been taken in respect of Mr Skelton. Having considered evidence about the incident which had led to Mr Skelton being disciplined, the disciplinary procedure itself, and Mr Skelton’s reaction and subsequent demeanour, Langstaff J considered that there was nothing to indicate that his access to confidential data should have been restricted. The “technological and organisational measures …could not altogether prevent the risk posed by a trusted employee [who] had given no real reason to doubt his trustworthiness”.
Although held that it would be impractical and overly invasive to monitor all internet searches by employees, it was found that Morrisons should have had (and didn’t have) an organised system for the deletion of data, such as the payroll data once extracted and stored on laptops. This was a breach of DPP7, and measures could relatively easily have been adopted to minimise risks arising from this. This might require a change of culture, but a system of regular deletion, backed up by management, was not disproportionate and would mitigate risks posed by inadvertent retention of data on laptops and similar. This would not, however, have prevented the events which led to Mr Skelton’s disclosure of the payroll data, as it was reasonable to hold a copy of that data for several weeks (or even longer) while KPMG’s audit was ongoing.
The court rejected arguments that the nature of the "data controller’s" statutory obligations under the DPA meant that Morrisons could not have vicarious liability for the tortious acts of its employee. The common law remedies are not incompatible with the statutory regime, but complementary to it. It was held that there was sufficient connection between Mr Skelton’s employment and his wrongful acts to justify a finding of vicarious liability in respect of the breaches of the DPA, the tort of misuse of private information and the breach of confidence claim.
Submissions that the DPA, as a statutory scheme, does not recognise any form of vicarious liability were rejected. The principle of vicarious liability can apply to breaches of statutory obligations, unless the relevant statute expressly or impliedly excludes it. The fact that Mr Skelton became the data controller of the "rogue" data set did not preclude findings of vicarious liability in respect of his breaches of the DPA either.
It was argued for Morrisons that this was a personal, independent venture by Mr Skelton and not one which was carried out during the course of his employment, and/or that all aspects of the tort had to be carried out in the course of employment; the file upload had taken place from home, on a Sunday. Langstaff J disagreed, finding that there was a sufficient connection between the position in which Mr Skelton was employed and his wrongful conduct. What happened was a “seamless and continuous sequence of events” which included the downloading of data from his work computer. Morrisons had deliberately given Mr Skelton trusted access to the relevant data, which was necessary for him to fulfil his role, so, viewed broadly, the breaches occurred as a result of part of Mr Skelton’s business activity. Further, it was a relevant factor that Morrisons were more likely to be in a position to compensate the victims.
Leave to appeal was granted to Morrisons in relation to the finding of vicarious liability. The court was particularly troubled by the suggestion that Mr Skelton’s aim had been to harm Morrisons, so that in finding them vicariously liable the court had inadvertently become an accessory to his criminal aims. Data processors, all of whom face the potential risk of a data breach, and those insuring them, will be greatly interested in the finding that once Mr Skelton had appropriated a copy set of the data, he became the data controller, such that Morrisons could not be primarily liable for his misuse of that particular set of data. The court’s consideration of what might constitute “appropriate measures” under DPP7, in particular questions of what might be proportionate, is also of interest to data processors, who may wish to consider the court’s specific comments when reviewing their IT security.