The High Court has handed down liability judgment1 in a claim by 5000+ staff against the supermarket chain Morrisons following a data breach. The case raises the important question of whether an employer is vicariously liable under the Data Protection Act for the criminal actions of a rogue employee who deliberately effected the breach.
In 2014, a file comprising sensitive personal data of 100,000 employees of Morrisons was posted on a public file sharing website and was also sent to three UK newspapers. The data consisted of the names, addresses, date of birth, phone numbers, national insurance numbers, bank sort codes and account numbers and salaries of the employees.
The data was deliberately leaked by a senior internal IT auditor employed by Morrisons, Mr Skelton, who took a copy of the data on a USB stick when entrusted with the job of passing the information onto an external auditor for annual audit purposes. Mr Skelton was separately convicted on criminal charges in relation to the breach and jailed for 8 years - his alleged motivation for the breach arising from a previous unrelated work incident where he had been disciplined, in his view, unfairly.
Over 5000 employee Claimants brought proceedings against Morrisons seeking compensation, alleging (i) breach of statutory duty under the Data Protection Act 1998 (DPA) (ii) an equitable claim for breach of confidence and (iii) breach of the common law tort of misuse of private information. The Claimants alleged Morrisons was both (i) primarily liable for their own acts and omissions and (ii) vicariously liable for the actions of Mr Skelton.
Exposure to businesses and their Cyber Insurers
As Data Controller under the DPA, Morrisons was obliged to comply with the DPA data Principles (i) 1-6, including to process the relevant data fairly and lawfully and to ensure the data is only processed in accordance with the rights of the data subjects (i.e. the employees) and (ii) Principle 7, to ensure "..appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data..".
S.13 DPA entitles a claimant to compensation where they suffer damage by reason of contravention of the DPA by a Data Controller. The DPA provides a statutory defence if the Data Controller can show they took "..such care, as in all the circumstances, was reasonably required to comply with.." any DPA requirement.
The Court held that Morrisons had no liability (i.e. primary liability) for breaches of DPA Principles 1-6 the DPA imposed these obligations upon Morrisons as a Data Controller which it had complied with at all times. To find otherwise would impose a strict liability on Morrisons for any data in its possession. That was not the statutory intention of the DPA. When Mr Skelton without authorisation leaked the data, he then became a separate Data Controller for the purposes of the DPA and he had therefore breached these DPA requirements.
As regards Principle 7, the Court conducted a detailed review of Morrisons' conduct and found on all points bar one that Morrisons had acted reasonably including (i) it was reasonable to allow Mr Skelton access and to trust him with the data despite his previous (minor) disciplinary warning on an unrelated matter (ii) the use of the USB by Mr Skelton was necessary for his required role as the email server limit meant he could not pass the data to the external auditor by email and (iii) Morrisons' monitoring of Mr Skelton's (and all employees) internet activities was adequate Mr Skelton had searched on his work computer for the TOR network a proxy avoidance site with software used by those seeking to cover their tracks while using the internet- the Claimants alleged this should have been flagged up by Morrisons' own monitoring software (which prevented access to certain websites) and investigated at the time, pre data breach.
Morrisons had failed in one respect it should have ensured Mr Skelton had deleted the employee data after a reasonable period after his purpose for having access to it had passed. The Court found however this failing was not causative of the data breach or any connected third party loss in any event as it would not have prevented the criminal misuse of the data by Mr Skelton2.
Accordingly, the Court held Morrisons was not primarily liable under the DPA, for breach of confidence or misuse of private information.
The Court rejected Morrisons' argument that by its very terms, the DPA excluded the possibility of vicarious liability confirming the usual rule that the principle of vicarious liability is potentially applicable where an employee commits a breach of statutory duty, even where such duty rests on the employee alone, unless the specific statute expressly or impliedly indicates otherwise.
The Court then went to some length reviewing the key authorities on the extent of the applicability of vicarious liability to the employer/employee relationship in the specific context where the employee has acted deliberately and criminally, as Mr Skelton had. Such criminal behaviour is at the outer reaches of vicarious liability and each case will turn on its facts and requires a detailed review of the employee's specific acts. The Court has previously decided cases in both directions depending on key factual issues and has grappled with the policy issue of who should ultimately bear related losses the (likely insured) employer who put the employee in the relevant position or the innocent Claimant who will often otherwise need to recover from an impecunious employee defendant.
In finding that Mr Skelton had acted in the course of his employment and therefore holding Morrisons vicariously liable for Mr Skelton's acts, the Court found that there was an unbroken thread between Mr Skelton's employment and the data breach and (importantly) Morrisons had specifically entrusted him with the data in issue for the purpose of disclosure to the external auditor. Although some of Mr Skelton's nefarious activities had been conducted at home on his own computer, this did not sufficiently disconnect them from his employment.
Court of Appeal
The Court expressed its own concern in reaching its conclusions where Mr Skelton's actions were deliberately aimed at Morrisons, the same party the Claimants sought to hold liable, such that it might be argued that the Court could be seen as an accessory to Mr Skelton's criminal aims i.e. to cause damage to Morrisons. The Court therefore allowed leave to appeal on the specific issue of whether Morrisons should be held to be vicariously liable where Mr Skelton had acted deliberately. Morrisons have apparently indicated they will appeal.
This case is significant to businesses and their Cyber insurers. As well as already facing regulatory fines and reputational issues arising from data breaches, this case confirms the principle that vicarious liability applies to the DPA (even where the business has done all it reasonably can to protect data) and highlights some of the outer edges of potential exposure to third party claims. The judgment contains a detailed analysis of the relevant vicarious liability principles to be applied, although it is clear that each case will be fact sensitive.
The judgment also provides a very useful analysis of the operation of the s.13 DPA defence and Data Protection Principle 7: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.