Various Claimants v WM Morrisons Supermarket plc

On Friday 1 December 2017, the High Court handed down the eagerly anticipated judgment on liability in this group action, brought by over 5,000 Morrisons employees.

The outcome – the Court held that a data controller can be held to be vicariously liable for the actions of a rogue employee, even where it exercised adequate and appropriate controls.

Facts

In January 2014, Mr Skelton, who was an employee of Morrisons, leaked 99,998 employees' records online. This included employees' names, addresses, dates of birth, phone numbers, National Insurance numbers, bank account details and salary details. In short, sufficient information for identity theft.

The information was shared on various websites and sent to the media. The media notified Morrisons, who were able to remove the information the following day.

The reason that Mr Skelton had access to this personal information was as a result of his role as a senior IT auditor, tasked with compiling and passing the information securely to an external auditor.

In July 2015, Mr Skelton was convicted of fraud, offences under the Computer Misuse Act 1990 and the Data Protection Act 1998.

Subsequently, over 5,000 employees brought a group action (under a group litigation order) against Morrisons, seeking compensation for:

  • Breach of the Data Protection Act 1998 (the DPA)
  • Tort of misuse of private information
  • Equitable claim for breach of confidence

Although the precise reasons for Mr Skelton's actions are unclear, it was suggested in the trial that this was as a result of a grievance he had relating to previous disciplinary action against him.

The Court's decision

  • The Court determined that Morrisons was not primarily liable/directly at fault for the data breach, it having exercised "adequate and appropriate controls".
  • The only point on which the Court found that there may not have been sufficient control mechanisms related to the deletion of the data from Mr Skelton's computer. However, the Court held that this would not have prevented Mr Skelton's misuse of the data.
  • However the Court held that there was "sufficient connection between the position in which Skelton was employed and his wrongful conduct". Consequently, Morrisons was held vicariously liable for his actions.
  • This trial only determined liability and a further trial will be listed to determine the level of damages payable to the claimants.
  • The Court was, however, concerned that Mr Skelton's intention was to harm Morrisons and that its decision to hold Morrisons liable could "render the Court an accessory to furthering his criminal aims". Therefore, the Court granted Morrisons permission to appeal the decision on vicarious liability.

What is vicarious liability?

This is a common law principle whereby an employer can be held liable for the acts of its employees carried out in the course of employment.

As can be seen from this case, it is not necessary for there to be wrongdoing on the part of the employer.

The principle exists to provide a secondary remedy to individuals who have suffered harm, and where there is unlikely to be any recourse against the wrongdoer.

This is the first case in nearly 20 years, since the inception of the DPA, to question whether vicarious liability can arise under the DPA where an employee has deliberately misused data with which he was entrusted.

Data breaches are becoming an increasingly large problem for businesses, especially with the availability and portability of digital data. A report by IBM demonstrated that, in 2016, of the reported security incidents, 58% were caused by insiders, with 5% of those being malicious.

Therefore, for the courts to find that the employer can be liable, notwithstanding that it took appropriate steps to protect the data, will be of concern to many businesses.

Morrisons have been given leave to appeal, and it is anticipated that they will do so. Not least because the case will set a precedent, meaning that the remaining 95,000 affected by the breach could bring separate claims for compensation.

This trial was only to review liability with quantum still to be decided. However, with large scale data breaches even modest damages awards per head could lead to substantial pay-outs. Further, such breaches will shake confidence in businesses, potentially leading to a reduction in share value.

From a practical perspective, if this decision is upheld, it means that if a data breach occurs, businesses increasingly need to be thinking about preparing defences to any claims for damages as well as complying with their regulatory obligations and potential regulatory fines.

On a final note, the General Data Protection Regulation (GDPR) is set to replace the existing data protection regime on 25 May 2018. This will not have retrospective effect. However, like the DPA, we do not consider that the GDPR (or the current draft Data Protection Bill which will make provisions for how it is applied in the UK), either expressly or impliedly excludes vicarious liability, meaning that this ruling (subject to appeal) could set the bench mark for data protection going forward. In addition, under the GDPR, businesses will have an obligation to tell individuals about serious data breaches, which would effectively put them on notice that they have a potential claim and will likely increase the volume of claims.