Employer liable for employee's data breach

WM Morrisons Supermarket plc v Various Claimants

An employer was vicariously liable for the actions of one of its employees who, to damage his employer, leaked personal staff data on a file-sharing website.

Background

In 2014, Mr Skelton, an internal auditor at Morrisons with a grudge against the supermarket (stemming from a previous disciplinary issue), leaked employee information on line and to various media outlets. This involved the payroll data of about 100,000 employees and comprised highly sensitive information such as the employees’ bank sort codes, account numbers and NIC details. He had copied the information onto a USB stick. He was arrested and subsequently convicted and sentenced to eight years for offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (DPA). About 5,000 affected staff brought a class action for breach of the DPA, the first of its kind in the UK. They argued that Morrisons was directly liable under the DPA for breaching a statutory duty, liable under common law (for misuse of personal data and breach of confidence) and vicariously liable for the actions of Mr Skelton.

High Court decision

The High Court held that Morrisons was not directly liable for the data breaches but was vicariously liable for Mr Skelton’s actions – despite the fact that the Information Commissioner had not criticised Morrisons’ data security procedures and no failings by Morrisons had been identified which could have prevented the data breach.

Direct liability

The misuse of the data was attributable to Mr Skelton and not to Morrisons. To hold otherwise would be to impose strict/absolute liability on a company for any data it possesses – not something the DPA intended. Similarly, Morrisons wasn’t liable under common law because the breach was not attributable to it. Additionally, Morrisons had taken appropriate technical and organisational measures to prevent the unauthorised or unlawful processing of personal data (e.g. the USB stick was encrypted).

Vicarious liability

The issue of whether Morrisons was vicariously liable turned on whether Mr Skelton’s actions were ‘sufficiently closely connected’ to his role in the company.

Mr Skelton was an employee, acting in the course of his employment, having been placed in a position where he had the means to access, and thereafter copy, the data. The High Court held that his role at Morrisons was sufficiently closely connected to his unlawful acts to make Morrisons vicariously liable for them.

None of Morrisons arguments against not imposing vicarious liability on them found favour with the court. These included the fact that the act of uploading the personal data had taken place outside of work premises, from a personal computer that was not used for work, and outside of working hours (on a Sunday).

The court was however troubled by one aspect of the case – that the intention of Mr Skelton’s acts was to harm Morrisons and in holding it vicariously liable the court was, in an indirect way, helping Mr Skelton in achieving his goal. For this and other reasons, Morrisons was granted permission to appeal the finding of vicarious liability.

Court of Appeal judgment

The Court of Appeal unanimously dismissed Morrisons’ appeal.

An employee does not need to be ‘on the job’ for an employer to be vicariously liable for his or her wrongdoing. While the time and place where the wrong occurred will be relevant, they are not the only consideration. Employers have been held vicariously liable for wrongs committed away from the workplace, see Bellman v Northampton Recruitment Ltd.

Rather the question is whether the wrong committed was ‘within the field of activities assigned to the employee’? Here the court had no doubt that Mr Skelton’s activities were.

Addressing the High Court’s concern that imposing liability on Morrisons in these circumstances would, in effect, make the court an accessory in furthering Mr Skelton’s criminal aims, the Court of Appeal stressed that the wrongdoer’s motive is irrelevant. The court could not accept that there was an exception to the irrelevance of motive where the motive is, by causing harm to a third party, to cause financial or reputational damage to the employer.

The court acknowledged that corporate system failures or employees’ negligence might lead to a large number of claims against a company for ‘potentially ruinous amounts’ but said that the solution is to insure against such catastrophes.

Link to judgment: https://www.bailii.org/ew/cases/EWCA/Civ/2018/2339.html

Comment

A sizable proportion of data breaches are caused by malicious actions by employees or ex-employees. So, this is a troubling decision for employers – in the sense that it exposes them to liability even where they’ve done very little wrong. The stricter regime under the GDPR and the Data Protection Act 2018 won’t ease employers’ minds either.

It probably goes without saying that this should encourage employers to review their information security procedures and consider how well they were protecting data from both internal and external threats. For instance, preventing employees from accessing premises and information outside of office hours and triggers if an employee tries to download too much information.

While individual compensation may be minimal (unless direct harm can be proved), when multiplied by thousands of claimants, the amounts could start to become very significant.

The only industry likely to be pleased by this decision is the insurance industry!

Morrisons has indicated that it will appeal this decision.