A landmark ruling in a group action by employees has found Morrisons Supermarket vicariously liable for a deliberate data breach carried out by a rogue employee, out of working hours and at home on a personal computer. The judgment has significant implications for all data controllers (and in the future, data processors) as Morrisons was vicariously liable even though, overall, it had discharged its own obligations as required under the Data Protection Act 1998 (DPA) and common law. This is the first group litigation data breach case to come before the courts, and with the General Data Protection Regulation (GDPR) coming into force in May 2018, employers will be concerned that the finding is an indication of what is to come under the new regime: Various Claimants v Wm Morrisons Supermarket PLC  EWHC 3113 (QB) 2017
The case involved a data breach of the nearly 100,000 employees of Morrisons whereby personal information from a payroll database (including names, addresses, bank account details and salaries) appeared on a file sharing website in early 2014. Related criminal proceedings found that Mr Andrew Skelton, then a senior internal IT auditor employed by Morrisons, had misused the payroll data that had come into his possession. His motivations were found to be malicious as he bore a grudge against Morrisons in relation to a previous disciplinary incident not related to this case. Skelton published the data on a file sharing website before posting links elsewhere on the internet. He also sent a CD containing a copy of the data to three newspapers. Skelton was convicted and imprisoned for eight years at a subsequent criminal trial.
5,518 employees brought group litigation against Morrisons claiming that Morrisons had both primary and vicarious liability for the actions of Skelton.
Morrisons had no primary liability
It was the claimants’ position that Morrisons had primary liability (for breach of statutory duty, breach of confidence and misuse of private information) to compensate its employees for the unlawful actions of Skelton. However this argument failed, with Langstaff J finding that Skelton’s actions were not conducted on behalf of his employer and that Morrisons was not the true data controller at the time of Skelton’s criminal actions (Skelton was).
Had Morrisons taken “appropriate technical and organisational measures” to protect against unauthorised or unlawful processing of personal data (as required under Data Protection Principle 7)? Langstaff J concluded that “Morrisons did not directly misuse any information personal to the data subjects. Nor did they authorise its misuse, nor permit it by any carelessness on their part. If Morrisons are liable it must be vicariously or not at all.”Accordingly, Langstaff J rejected all claims of primary liability against Morrisons under the DPA. He also held that there was no primary liability in relation to the tort of misuse of private information, or breach of confidence.
As such the only possible basis of liability was that of vicarious liability.
But Morrisons is vicariously liable
Vicarious liability depended on whether a sufficient connection existed between the actions of Skelton and the “course of [his] employment.”1
There was a sufficient connection because:
- an unbroken thread linked Skelton’s employment to the disclosure as a “seamless and continuous sequence of events”;
- Morrisons deliberately entrusted Skelton with the data during the course of his employment; and
- Morrisons tasked Skelton with receiving, storing and disclosing the data therefore, his actions (albeit unlawful) were closely related to the task he was given.
The fact that Skelton unlawfully disclosed the data from a personal computer, at home and outside of working hours was not sufficient to break the chain of events.
Skelton’s wrongful acts were found to be sufficiently connected to his employment resulting in Morrisons being vicariously liable for those acts. Skelton’s motives were irrelevant.
It is clear that Langstaff J was not entirely comfortable with his conclusion in relation to vicarious liability. In particular, he was mindful that the court was in effect rendered an accessory to Skelton’s criminal aim of damaging the company. The judge gave Morrisons permission to appeal the vicarious liability finding but said that without further persuasion he would not agree a cross appeal on his conclusions as to primary liability.
The result of this case will have caused great concern for employers. The judgment acknowledges that there will always be rogue employees who misuse data entrusted to them to handle in the course of their employment, and whilst Morrisons in this scenario had deployed proportionate control mechanisms to prevent misuse, they were still held to be vicariously liable. Any appeal will be eagerly anticipated.
It should be remembered that this case considered only liability and not quantum so the level of compensation owed to each of the claimants is yet to be determined.
The coming into force of the GDPR in May 2018 should also be borne in mind, as this regime will extend the remit of liability from not only data controllers (as catered for under the DPA) but also to data processors. Employers must be proactive in ensuring they have appropriate data security measures, policies and procedures in place to help combat any claims for primary liability. Clients should also consider implementing stricter employee controls for those dealing with personal data.
With the GDPR increasing the potential for group litigation, coupled with the result in this case, we expect to see more group action claims in the sphere of data breaches.