The acquisition from organisations of large databases of personal data by external parties (usually hackers) is an increasingly modern phenomenon – think Ashley Madison, PlayStation, TalkTalk. Less common, and perhaps of greater concern for employers, is the ‘inside job’ where a trusted employee is responsible for a major breach of data security. The High Court case of Various Claimants v Wm Morrisons Supermarket PLC [2017] EWHC 3113 (QB) has shown that a data controller can be held vicariously liable for the misuse of date by one of its employees even where it has done everything it reasonably can do to prevent such a breach.

Overview of Facts

In 2013/2014, Andrew Skelton, a Senior IT Auditor at Morrisons, decided to ‘go postal’ in a very modern way in order to avenge a minor disciplinary sanction which had been imposed on him by his employer.

To that end, he used his seniority and privileged access to confidential material to post the personal details (including salary and bank details) of nearly 100,000 fellow employees on a public file sharing website. This was a criminal offence under the Computer Misuse Act 1990 and Data Protection Act 1998 (“DPA”) and he is now serving an 8 year prison sentence as a result.

In undertaking his criminal endeavour, Skelton employed deviousness and his advanced IT skills to evade the protections put in place by Morrisons to mitigate the risks of such a large scale data breach. For example, he obtained an untraceable pay-as-you-go mobile, he utilised a personal and unencrypted USB stick, he appears to have used a ‘dark net’ browser to conceal his IP address and he attempted to cover his tracks and ‘frame’ other employees for his acts.

Following his conviction, a group of the affected employees brought a civil action against Morrisons under the DPA to exact recompense for the wrongs they suffered at the hands of Skelton.

We deal with the two key questions before the High Court and its conclusions below.

Did Morrisons have a primary liability under the DPA for the breach?

As data controller with respect to its employees’ personal data, Morrison is subject to a number of complementary obligations under the DPA, in particular the data protection principles. In essence, personal data must be processed lawfully and fairly and that may only occur if certain conditions (e.g. consent is given) apply. Furthermore, it may only be processed for certain specified purposes and only be kept for as long as is necessary to achieve the relevant purpose.

There was no question in this case that Skelton’s act contravened the data protection principles. However, it was in issue as to whether Morrisons, as the ‘original’ controller for these data, had a primary liability for the breaches.

The court held that it did not. Once Skelton had misappropriated the data and began to determine how and why the data would be processed, i.e. by posting it on the internet, he himself became a data controller in respect of it. It was he, not Morrisons, who had offended the data protection principles. One data controller is not liable for the actions of another controller acting without its authority and in a criminal way, even in respect of the same data pool.

The one exception to the above was Principle 7 of the DPA, which requires appropriate technical and organisational safeguards to be in place to protect personal data. Morrisons was potentially on the hook for a breach in this regard. However, following a detailed consideration of the facts, the court found that (for the most part) Morrisons did have adequate protections in place which were proportionate to the risks involved and that there were no failings in this regard which led to a breach. Obviously they did not guard against the high-tech machinations of a disgruntled and determined insider, but the court acknowledged that no system is failsafe.

The court further clarified that the DPA does not impose a duty of strict liability on data controllers. This is a useful clarification, but in light of what follows in relation to vicarious liability, is perhaps cold comfort in practical terms for employers faced with an employee who adopts the mantle of data controller and goes rogue.

Was Morrisons vicariously liable for its rogue employee’s criminal breaches of the DPA?

As this was a claim against an employer for harm caused by an employee, the court did not spend long considering whether or not vicarious liability might apply. It clearly might. The question was whether or not Skelton had been acting in ‘the course of employment’ and the test for this is one of ‘close connection’. The court considered, amongst other cases, the decision of the Supreme Court in Mohamud v William Morrison Supermarkets plc [2016] UKSC 11 where a petrol station employee had seriously assaulted a customer on the station forecourt in a racially motivated attack following a request from the customer to print some documents from a USB. The Supreme Court held that although the employee had grossly abused his position, the attack had flowed in an unbroken chain of events from dealing with a request from a customer, an activity which formed part of that employee’s role. This decision also emphasised the need for the concept of justice to be considered alongside the ‘close connection’ test.

In his judgment, Mr J Langstaff found that:

  1. there was an ‘unbroken thread’ linking Skelton’s job to the disclosure;
  2. Morrison’s had taken a risk in entrusting Skelton with the data;
  3. Skelton’s disclosure was closely related to what he had been tasked to do, and
  4. It followed that when Skelton received the data he was acting as an employee and the disclosure was not disengaged from his employment.

It was confirmed that, as in Mohamud, the motive of the employee was not relevant. J Langstaff held that vicarious liability can be established for breaches of the DPA and that it had been established in this case. Interestingly, leave for Morrisons to appeal on this point was granted.

How will the GDPR change things when it comes into force on 25 May 2018?

The analysis of the court on the issue of Morrison’s primary liability focuses predominantly on whether it was the relevant data controller at the time of the majority of the breaches. As such, the claimants’ arguments died on the threshold of the DPA. The concept of the data controller is largely unchanged under the GDPR, so there is reason to think that this logic will still apply going forward.

With regards to vicarious liability, although this decision has worrying implications for data controllers concerned about breaches of data security that they have little control over, it is only the latest in a steady line of cases which have confirmed the broadening scope of vicarious liability for the criminal acts of employees. The position is unlikely to alter without significant legislative change and the Data Protection Bill, currently making its way through Parliament, contains no such provisions. This is unfortunate news for employers. Not only do they face the looming spectre of the huge new potential fines under the GDPR, but they are potentially on the hook for the criminal acts of rogues for which, as the court acknowledged, there is “no failsafe system”.