The High Court (Langstaff J) handed down a significant decision holding Morrisons supermarkets vicariously liable for the criminal actions of a rogue employee who leaked employee personal data on the internet.
A senior auditor of Morrisons, Andrew Skelton, publicly leaked the personal details of almost 100,000 co-employees as revenge for Morrisons disciplining him in connection with a separate, comparatively innocuous matter. The personal data included names, addresses, bank account details and salary information. Mr Skelton is currently serving an eight year prison term following a criminal conviction for his actions.
In the first class action of its kind, approximately 5,000 employees whose data was leaked brought proceedings against Morrisons for primary and secondary (vicarious) liability under the Data Protection Act 1998 ("DPA"), at common law for misuse of private information and in equity for breach of confidence.
The High Court found that Morrisons was not primarily liable for breaches of the data protection principles in Schedule 1, Part 1 of the DPA ("DPPs") save in respect of the seventh DPP, which obliges the data controller to take appropriate technical and organisational measures to protect personal data against misuse. It was not Morrisons that disclosed the information or misused it; it was Mr Skelton acting without authority and criminally as an independent data controller.
With respect to the seventh DPP, the court concluded that Morrisons had generally taken the appropriate technical and organisational measures to protect the data against misuse. Specifically the court rejected the notion that it would have been appropriate for Morrisons to mistrust Mr Skelton after issuing him a verbal warning under the disciplinary procedure and, for example, to have placed him under additional electronic surveillance. However, Morrisons fell short by not putting in place an organised system for the deletion of a large volume of employee personal data which Mr Skelton temporarily held on his laptop. Notably, the court commented that would not have prevented Mr Skelton's crime anyway and therefore it was not causative of any losses suffered by the claimants.
In an extended review of the law on vicarious liability, the court made the following key findings:
The principles of vicarious liability can apply to the DPA. The emphasis of the DPA is on the protection of data subjects. If an employer could escape liability the moment an employee decides to misuse data to which his employer has given him access, this would defeat the protective purpose of the DPA;
As well as the DPA claim, vicarious liability could arise in respect of the claims for misuse of private information or breach of confidence; and
The "course of employment" test for vicarious liability should be applied broadly. The court found that there was a sufficient connection between Mr Skelton's employment and his wrongful conduct for vicarious liability to be established. This was despite the disconnect in time, place and nature from Mr Skelton's employment when he posted the data (the disclosures were made from home, by use of his personal equipment and on a Sunday).
The court was troubled by the fact that its decision effectively furthered Mr Skelton's criminal aims to cause harm to Morrisons and it has granted leave to Morrisons to appeal the decision on vicarious liability. It is presently unclear whether Morrisons will appeal. The claimants' remedy will be assessed separately, and it will be interesting to see how the damages for each claimant are evaluated.
What does this mean for employers?
This landmark case highlights the potentially wide-reaching implications of data protection legislation, establishing that organisations can be liable for breaches of the protection laws even though they have taken appropriate measures to comply with the security requirements of the data protection legislation and even though they are the intended victim of the breach.
Despite Langstaff J's conclusion that his decision would not significantly increase the costs of compliance for organisations, the risks of vicarious liability under the DPA will inevitably unnerve data controllers alongside the increased cyber risks facing organisations today and the impending implementation of the General Data Protection Regulation in May 2018, with its increased penalties for non-compliance and enhanced rights and remedies for data subjects.