The English Court of Appeal has dismissed an appeal in Various Claimants v. Wm Morrison Supermarkets PLC, agreeing with the English High Court’s first instance decision that the supermarket chain was vicariously liable for a deliberate and malicious data breach by an employee.
Morrisons, a UK-based supermarket chain, had instructed S, a senior IT auditor employed by Morrisons, to transfer 99,998 employees’ payroll information to the company’s external auditor, KPMG. S had previously been subject to a formal warning in respect of his misuse of company postal facilities, leaving S with a “grudge” against the company. S duly transferred the payroll data to KPMG via an encrypted USB stick but also copied the data onto another USB stick for his own use. S posted the payroll data of the 99,998 Morrisons employees online and also sent it to certain local newspapers. The newspapers alerted Morrisons, which acted quickly to terminate S’s employment, take steps to mitigate the spread of the data and alert the police. S was convicted in criminal proceedings for his actions and sentenced to eight years in prison.
A class of 5,518 employees brought civil proceedings against Morrisons in December 2015, claiming damages plus interest for misuse of private information, breach of confidence and breach of statutory duty owed under section 4(4) of the Data Protection Act 1998 (DPA). The claimants argued that Morrisons was primarily liable under the heads of claim but, if not, then they claimed that Morrisons was liable vicariously for the wrongful conduct of S, its employee.
At first instance, Mr Justice Langstaff held that Morrisons was not directly liable for the breach and found (with one exception) that its data security measures were acceptable. Morrisons was, however, found to be vicariously liable for the actions of S. Our commentary on the judgment at first instance can be found here.
Morrisons appealed the finding that it was vicariously liable for S’s actions, arguing that (i) the DPA did not reference vicarious liability so that it should not be liable for S’s actions, and (ii) the DPA excluded the ability to bring equitable and common law actions such as the misuse of private information and breach of confidence, where the facts underlying those claims would constitute processing of personal data within the DPA. In effect, Morrisons argued that the DPA contains a comprehensive framework for liability for the wrongful processing of personal data, which left no room either for the common law torts or for vicarious liability for employees having committed those common law torts. Morrisons further argued (iii) that S’s actions did not fall within the scope of his employment, and therefore, Morrisons could not be vicariously liable for them.
The Court of Appeal rejected Morrisons’ arguments. It said that if Parliament, by enacting the DPA, had intended to exclude vicarious liability, they would have expressly said as much. The same would be true if Parliament had intended to exclude the torts of misuse of private information and breach of confidentiality when processing of personal data had occurred. Following the High Court’s reasoning, the Court of Appeal held that the purpose of the DPA was, above all, to protect personal data. Any additional liability that might prompt controllers to better protect their data would only assist in serving that purpose.
The Court of Appeal summarised its decision as follows:
“In conclusion, the concession [by Morrisons during the Court of Appeal hearing] that the causes of action for misuse of private information and breach of confidentiality are not excluded by the DPA in respect of the wrongful processing of data within the ambit of the DPA [if the actions for misuse of private information and breach of confidentiality had been brought against Morrisons directly], and the complete absence of any provision of the DPA addressing the situation of an employer where an employee data controller breaches the requirements of the DPA, lead inevitably to the conclusion that [Langstaff J] was correct to hold that the common law remedy of vicarious liability of the employer in such circumstances (if the common law requirements are otherwise satisfied) was not expressly or impliedly excluded by the DPA.”
Morrisons’ third argument, that S’s acts did not occur during the course of his employment, was also rejected by the Court. The Court held that the liability began from the moment S downloaded the data onto a USB stick, which action had been done during his employment and at the behest of Morrisons.
Finally, the Court noted that its finding of vicarious liability against Morrisons would be troubling for companies that experience data breaches “caused by either corporate system failures or negligence by individuals acting in the course of their employment.” The Court went on to note that such breaches “might, depending on the facts, lead to a large number of claims against the relevant company for potentially ruinous amounts.” The Court said that the solution to these issues was to be fully insured. Valid insurance, it said, was not a reason for imposing liability, but it would mitigate against the “Doomsday” arguments put forward by Counsel for Morrisons in the case, concerning any detrimental effect on business that this judgment might spark.
Cases such as this are likely to be relatively rare, but as we move towards an increasingly data driven economy, the potential for such incidents to increase in scale is clear. This decision of the Court of Appeal underscores the need for an effective compliance programme. Whilst it is unlikely to stop a rogue employee such as S, it will certainly assist to prevent inadvertent or negligent data breaches. And if the worst does happen, a robust incident response plan—and, as the Court of Appeal noted, insurance—is essential in order to mitigate the damage.