With 498 locations across Britain and a market share in the retail supermarket sector of around 10%, Morrisons supermarkets are a familiar sight across Britain.
In March 2014, the organisation was rocked by a series of data breaches publicly exposing sensitive personal information relating to past and present employees.
Whilst Morrisons was left ‘red faced’ following the incident, when it became aware of the breaches after being tipped off by a newspaper, it responded swiftly to the breach and the person responsible was quickly identified and arrested. The breaches were the work of one disgruntled Morrisons employee, who ultimately received a lengthy prison sentence for his actions. However, it looks as though Morrisons will also pay a significant price. In an action brought by a pool of 5,518 claimants, Morrisons has been held vicariously liable for the criminal acts of its (now former) employee, both at first instance and on appeal (Court of Appeal Decision).
Would an Australian Court faced with this fact scenario hold a corporation liable for an employee’s deliberate data breach?
Sean Field, Karli Evans and Catherine Burkhalter investigate.
Background to the breach
On 12 January 2014, a file containing the personal details of 99,998 current and former Morrisons employees was posted on a file sharing website without the consent of Morrisons or the relevant individuals. Shortly thereafter, links to the website were also posted without authority elsewhere on the internet. The breach was a deliberate attempt to cause maximum harm, mainly to Morrisons.
The data consisted of highly sensitive and personal information including names, addresses, gender, dates of birth, phone number (home and mobile), national insurance numbers, bank sort codes, bank account numbers and salary details.
A CD copy of the data was also sent anonymously to various UK newspapers. Thankfully for Morrisons, none of the papers published any of the information and one of them tipped off Morrisons.
Morrisons didn’t learn of the breach until 13 March 2014, when it took urgent steps to contain and remedy the breach by shutting down access to the website where the information had been posted.
Morrisons’ systems enabled the organisation to rapidly identify the limited numbers of individuals who had accessed the relevant database and by 19 March 2014 the perpetrator, Mr Andrew Skelton, a senior IT auditor at Morrisons was identified and arrested.
So what caused Mr Skelton to want to act in this way?
Managing employee performance and implementing disciplinary processes are a necessary and common place function for the human resources team in any workplace. In this case, nine months prior to Mr Skelton leaking the data, Morrisons had taken formal disciplinary action against Mr Skelton in connection with a separate workplace incident. Mr Skelton’s appeal against those internal processes was unsuccessful.
After a period of suspension, Mr Skelton returned to work in his original position and he continued to perform his duties as usual. Little did Morrisons know that Mr Skelton was plotting to take revenge against the company.
Some months following his suspension, Mr Skelton was directed to assist with an audit process. This required him, among other things, to obtain employee information from the central PeopleSoft database and to provide it to Morrisons’ external auditor, KPMG. At this point Mr Skelton saw an opportunity to take an additional copy of Morrisons’ employee database for himself, laying the foundation for the subsequent data breach.
A few months later, on a Sunday evening whilst at home, and using his own devices, Mr Skelton posted the database on a file-sharing website. Later, he sent the data to various newspapers as described above.
The Proceedings Against Morrisons
To date there have been two proceedings. In the proceedings at first instance, before Langstaff J, Morrisons was found not to be directly liable for the breach but nevertheless was found to be vicariously liable for the actions of Mr Skelton.
Morrisons did not succeed in its appeal, which was limited to the issue of vicarious liability.
In October 2018, the Court of Appeal roundly endorsed the judgement at first instance, including upholding the result.
It is possible that Morrisons may further appeal but as yet it has not done so. Also it is important to note that separate proceedings on the question of the quantum of damages that the claimants can expect to receive have yet to get underway.
The case represents a significant development in terms of the implications of data breaches for corporations and questions of liability. In this article we consider whether and to what extent a similar result might play out in the Australian Courts.
In particular, we focus on the issues of direct and vicarious liability of a corporation for its employees’ conduct.
The UK Data Protection Act 1998 (the DPA) contains a provision that quite closely follows Australian Privacy Principle (APP) 11 under the Privacy Act 1988 (Cth).
Data protection principle no. 7 (DPP 7) under the DPA imposes the following obligation on “data controllers”:
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction or, or damage to, personal data.
“Data controllers” are persons who make decisions about how and why personal data are processed.
Section 13 of the DPA also provides that it will be a defence (the burden of proof resting on the data controller) if “all reasonable care” is taken to satisfy the DPPs.
Compare and contrast APP 11.1, which is in the following terms:
11.1 If an APP entity holds personal information, the entity must take such steps as are reasonable in the circumstances to protect the information:
(a) from misuse, interference and loss; and
(b) from unauthorised access, modification or disclosure.
For the purposes of comparison and analysis, we will assume that the phrase “appropriate technical and organisational measures” in DPP7 is in substance equivalent to or at least comparable with APP 11.1’s “such steps as are reasonable in the circumstances.”
A company in Australia that fails to take “such steps as are reasonable in the circumstances” to protect personal information could be liable under the Privacy Act.
The problem is, nobody knows in respect of any particular scenario specifically what “reasonable” steps are. The Privacy Act takes a purposive, rather than a prescriptive, approach to this issue. This makes a lot of sense, as any attempt to specifically enshrine particular IT security measures or standards into legislation will quickly be hopelessly out of date, however in practice it provides limited guidance on how to comply with the relevant obligations.
Helpfully, the DPA expands on DPP 7, as follows:
Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to –
(a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and
(b) the nature of the data to be protected.
This is consistent with the OAIC’s guidance on APP11, which states that the “reasonable steps” required under APP11.1 will depend upon the circumstances that include:
- the nature of the entity, including its size, its resources and the complexity of its operations;
- the amount and sensitivity of the data;
- the possible adverse consequences of a breach; and
- the practical implications of implementing the security measure, including time and cost involved.
The OAIC notes, however, that:
An entity is not excused from taking particular steps to protect information by reason only that it would be inconvenient, time-consuming or impose some cost to do so.
So let’s take a look at a few specifics from the Morrison’s case.
First of all, let’s consider the ‘PeopleSoft’ system, which was the database in which the employee records were stored. Systems like this are relatively commonplace. They are generally set up so that employees can see data about themselves (only); managers can see data for people who are their direct reports; other more senior management may have greater access or even full access. In this case, there were 22 “super users” who had full unfettered access to the database. All access was tracked. The Court considered that such a system was “appropriately secure” within the meaning of DPP7.
But what about when data is downloaded from the central database to a laptop? Or even a USB? The court thought that this was OK if the laptop or USB was encrypted.
However there was one issue where the court felt that Morrisons’ procedures did not measure up to the standard required in DPP7.
In order to understand this issue, we need to drill down somewhat into Mr Skelton’s involvement in the external audit process mentioned above.
As we have noted, following his suspension, Mr Skelton returned to work on 3 July 2013. Disciplinary proceedings ensued; Morrisons gave Mr Skelton a formal “verbal” warning on 18 July 2013 and Mr Skelton’s appeal was rejected on 15 August 2013.
In October, Mr Skelton was researching The Onion Router (TOR) on his work computer – which in retrospect may have been the first red flag in respect of the subsequent breach.
TOR is a browser product that allows a user to undertake internet searches anonymously. It is not suggested that using or researching TOR is an indicator of malicious or nefarious intent; there are many legitimate reasons why one may wish to be anonymous on the internet and TOR is widely used for this purpose.
We note that in a recent case in Australia of a contractor allegedly unlawfully copying AMP customer information, AMP’s cybersecurity staff were apparently alerted to the compromise because the alleged perpetrator attempted to install TOR on his work supplied computer.
Given the above, we would suggest perhaps that searches on workplace IT systems for TOR and the like should raise an IT/cybersecurity risk flag.
On 1 November 2013, the company’s external auditor requested a number of categories of data from Morrisons. This was a resumption of similar external auditing conducted in 2012 which Mr Skelton had also been involved with. On both occasions, Mr Skelton was tasked with compiling the employee data. At Mr Skelton’s request, a senior manager in Morrisons’ HR Department obtained a copy of the relevant data from the PeopleSoft database which he initially attempted to email to Mr Skelton on 14 November. However the email was quarantined due to its size and in fact the file was delivered to Mr Skelton on a USB stick the next day. Mr Skelton copied the data onto his laptop and returned the USB stick.
Some time in the next 7 days or so, between 15 and 21 November 2013, Mr Skelton copied the data to another USB stick and gave it to KPMG, retaining the original on his laptop.
On 18 November he copied the data from his work laptop to another USB – which was the data that he was going to release, and accordingly was the first step in his plan.
The data was uploaded by Mr Shelton to the file-sharing site on 12 January 2014 and the material was provided to various newspapers on 13 March 2014.
It is not clear at what point Mr Skelton deleted the copy – that he lawfully had – from his laptop. In any case he had, by 18 November, a copy on his own USB stick. He did not need the copy on the laptop to put his plan into action.
While there was no causal link between the data breach and the copy of the data on Mr Skelton’s laptop, the court considered that, when measured against DPP7, there was a process failure in the sense that Morrisons should have had in place a process to follow up on the deletion of additional copies of the data residing outside of the security of the PeopleSoft system.
Justice Langstaff had this to say:
I find that there was no organised system for the deletion of data such as the payroll data stored for a brief while on Skelton’s computer. There was no failsafe system in respect of it. To this extent, in my view, Morrisons fell short of the requirements of DPP7: where data is held outside the usual secure repository used for it (in the case of the payroll data, within the Peoplesoft system) there is an unnecessary risk of proliferation and of inadvertent disclosure (let alone deliberate action by an employee) revealing some of that data. Morrisons took this risk, and did not need to do so. Organisational measures which would have been neither too difficult nor too onerous to implement could have been adopted to minimise it.
Let’s look at a couple of other propositions in respect of which, it was argued on behalf of the claimants, Morrisons had fallen short of the standards required by DPP7 or should otherwise have been held directly liable for Mr Skelton’s actions.
First of all, it was argued that because Mr Skelton had been the subject of disciplinary procedures only a few months before, he should not have been trusted with access to such sensitive and significant information; and that Morrisons had failed to adequately manage or mentor Mr Skelton following the incident.
The Court disagreed, concluding that Morrisons could not reasonably have anticipated that Mr Skelton would act like this as a result of the workplace incident and the ensuing disciplinary action.
While there was evidence from management to the effect that Mr Skelton was not happy about being disciplined, no-one felt that he was so badly aggrieved that he would set out to deliberately harm the company and its employees in such a drastic way.
In addition, the Court felt that the incident in no way merited restricting the type of information Mr Skelton should have been permitted to handle; and that his inability to have access to and to deal with confidential information would in effect prevent him from doing his job.
Secondly, it was argued that Morrisons should have been alerted by the fact that Mr Skelton had researched how to use TOR on a work computer.
The Court did not think that this fact should have triggered any further investigation or inquiry by Morrisons. While it was possible for Morrisons to obtain a list from the system of what websites an employee may have looked at on any given day, routine monitoring did not occur and was not practicable given the number of employees and internet usage across the business.
The Court thought that because the letters “TOR” appear in lots of words – eg, “navigator”, “actor” and “factor” – that it would not be possible to effectively monitor someone searching for “TOR” in relation to The Onion Router.
In this regard it is difficult to follow the Court’s reasoning. In a modern day workplace with sophisticated IT monitoring systems, it is a relatively simple matter to flag high-risk activity without the need to exhaustively review all browsing history.
It would not have been difficult to set up an alert for employees researching the TOR or the use of VPNs to provide anonymity.
Arguably, and perhaps with the benefit of perfect hindsight, the combination of the prior disciplinary issues with the TOR research and the failure to control copies of data outside of PeopleSoft, suggest that perhaps, Morrisons could have been found to be primarily liable for the data breach.
In an Australian context, given that our Privacy Act makes no distinction between data processor and data controller, an Australian Court might have been more inclined to find Morrisons primarily liable, rendering the issue of vicarious liability somewhat moot.
Whilst the Court of Appeal Decision on vicarious liability is not binding on Australian Courts, it is nevertheless persuasive because English judgements are often considered by Australian Courts (and vice-versa), especially on the commonly vexed issue of vicarious liability.
Whilst it is not the intention of this article to undertake a detailed comparison of the law of vicarious liability in Australia compared with English law in this area, we would make the following observations.
Broadly speaking, vicarious liability in Australia and the UK is considered under common law as a form of legal liability which can be imposed on an employer, despite the employer not itself being at fault. However, Courts in the UK and Australia have struggled to identify the correct approach to use when considering whether an employer is vicariously liable for conduct of an employee.
In the Court of Appeal Decision, the relevant approach applied when considering vicarious liability, was whether the conduct of Mr Skelton in distributing personal information to third parties was ‘within the ﬁeld of activities assigned to [him]’, and, insofar as this was the case, whether there was a ‘suﬃcient connection’ between the position in which Mr Skelton was employed and his wrongful conduct.
Ultimately, it was held in both proceedings that the unauthorised acts of Mr Skelton in sending the claimants’ data to third parties was within the ﬁeld of activities assigned to him by Morrisons.
It may be troubling to think, at first blush, that an employee engaged in a deliberate and wilful criminal act, might nevertheless be seen by a Court as acting in the course of their employment, but that’s what the Courts (at first instance and on appeal) found in the UK on the fact scenario before them.
Since vicarious liability is highly fact specific, it is difficult to predict whether an Australian Court would make the same finding should a similar set of circumstances arise.
In Prince Alfred College Incorporated v ADC HCA 37 (the PAC case), recognising the “divergent views” on vicarious liability expressed in the Courts below and indeed the “differing” views expressed by the High Court itself on the topic in New South Wales v Lepore (2003) 212 CLR 511, the High delivered a unanimous judgment in an effort to provide some guidance on the issue of vicarious liability.
In the PAC case, the Full Court of the High Court referred to the requirement that, to establish vicarious liability, an employee’s wrongful act must “be committed in the course or scope of employment” as “a touchstone for liability”.
The question then, is whether and when a particular act “can be said to be in the course or scope of employment.” Surveying the case law in Canada and in the United Kingdom, the Full Court stated, “in most cases in which an act is found to have occurred … in the course of employment , the act can be said to be connected … to the employment”.
The Full Court goes on to say that what is necessary, is not just that the employee’s role provide the opportunity for the wrong, but also that it provide the occasion:
Consequently … the relevant approach is to consider any special role that the employer has assigned to the employee and the position in which the employee is thereby placed vis-á-vis the victim. In determining whether the apparent performance of such a role may be said to give the “occasion” for the wrongful act, particular features may be taken into account. They include authority, power [and] trust …
The Full Court continued:
Where, in such circumstances, the employee takes advantage of his or her position with respect to the victim, that may suffice to determine that the wrongful act should be regarded as committed in the course or scope of employment and as such render the employer vicariously liable.
In our view, the factual scenario in the Morrisons case would be capable of satisfying the test for vicarious liability laid out in the PAC Case, including satisfying the “occasion” test.
Mr Skelton’s role arguably afforded him both the opportunity and the occasion (at 185):
his role in respect of the payroll data was to receive and store it, and to disclose it to a third party. That in essence was his task, so far as the payroll data went: the fact that he chose to disclose it to others than KPMG was not authorised, but it was nonetheless closely related to what he was tasked to do;
And Mr Skelton’s role was a position of authority, power and trust – he was authorised by his employer to:
- have access to the sensitive employee data that was leaked; and
- copy that data onto other devices – USBs, laptops for the purposes of disclosing that data to a third party (the auditor).
Given the differing approaches applied in the UK Court of Appeal Decision versus the High Court of Australia Decision – specifically, the need, according to the PAC case, to determine whether the relevant employee’s employment gave rise to the “occasion” for the offending conduct, it appears that Australian Courts might apply a different approach to that of the UK Courts on vicarious liability.
However, and recognising that the cases around vicarious liability depend heavily, as in many areas of the law, on the specific factual matrix and circumstances of each case; and recognising also, the relatively narrow set of facts at hand in the Morrisons case, we think that it would certainly be open to Australian Courts to reach a similar view on vicarious liability.
It is possible that under our Privacy Act – due to no small part to the lack of any relevant distinction between a data controller and a data processor – an Australian Court might be more prepared to find an employer directly liable in the Morrisons scenario.
Should an Australian Court be asked to look at the question of vicarious liability in relation to a similar fact scenario, we would suggest that a similar result could ensue, unless an Australian Court considered that the “occasion” test from the PAC Case had not been met. However for the reasons discussed above, we think that the fact scenario in the Morrisons case arguably could meet the requirements of the “occasion” test.
We have distilled some “take-aways” for Australian organisations to consider arising out of the Morrisons case:
- consider carefully the impact on an employee of disciplinary action, particularly if there are any changes in the employee’s behaviour or demeanour;
- special care should be taken in relation to employees who have access to sensitive or privileged information;
- maintain an active key word based alert in relation to IT system usage (noting the legal requirements that govern the monitoring and surveillance of employee use of their employer’s IT systems);
- employees researching TOR or the like should raise an IT/cybersecurity risk flag;
- implement an audit/tracking process for cases where sensitive data has been copied from its usual secure application or environment onto another device or other media; the process should ensure that any such copies are deleted within a pre-defined timeframe when no longer required in relation to the purpose for which the copy was originally made;
- make sure your IT security systems, processes and policies are up to scratch and up to date; and
- don’t forget mandatory data breach notifications under the Privacy Act.