Employer liable for employee's data breach

Various Claimants v WM Morrisons Supermarket plc

An employer was vicariously liable for the actions of one of its employees who, to damage his employer, leaked personal staff data on a file-sharing website.

Background

In 2014, Mr Skelton, an internal auditor at Morrisons with a grudge against the supermarket (stemming from a previous disciplinary issue), leaked employee information on line and to various media outlets. This involved the payroll data of about 100,000 employees and comprised highly sensitive information such as the employees’ bank sort codes, account numbers and NIC details. He had copied the information onto a USB stick. He was arrested and subsequently convicted and sentenced to eight years for offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (DPA).

About 5,000 affected staff brought a class action for breach of the DPA, the first of its kind in the UK. They argued that Morrisons was directly liable under the DPA for breaching a statutory duty, liable under common law (for misuse of personal data and breach of confidence) and vicariously liable for the actions of Mr Skelton.

High Court decision

The High Court held that Morrisons was not directly liable for the data breaches but was vicariously liable for Mr Skelton’s actions.

Direct liability

The misuse of the data was attributable to Mr Skelton and not to Morrisons. To hold otherwise would be to impose strict/absolute liability on a company for any data it possesses – not something the DPA intended. Similarly, Morrisons wasn’t liable under common law because the breach was not attributable to it. Additionally, Morrisons had taken appropriate technical and organisational measures to prevent the unauthorised or unlawful processing of personal data (e.g. the USB stick was encrypted).

Vicarious liability

The issue of whether Morrisons was vicariously liable turned on whether Mr Skelton’s actions were ‘sufficiently closely connected’ to his role in the company.

Mr Skelton was an employee, acting in the course of his employment, having been placed in a position where he had the means to access, and thereafter copy, the data. The High Court held that his role at Morrisons was sufficiently closely connected to his unlawful acts to make Morrisons vicariously liable for them.

None of Morrisons arguments against not imposing vicarious liability on them found favour with the court. These included the fact that the act of uploading the personal data had taken place outside of work premises, from a personal computer that was not used for work, and outside of working hours (on a Sunday).

The court was however troubled by one aspect of the case – that the intention of Mr Skelton’s acts was to harm Morrisons and in holding it vicariously liable the court was, in an indirect way, helping Mr Skelton in achieving his goal. For this and other reasons, Morrisons has been granted permission to appeal the finding of vicarious liability.

Link to judgment: http://www.bailii.org/ew/cases/EWHC/QB/2017/3113.html

Comment

A sizable proportion of data breaches are caused by malicious actions by employees or ex-employees. So, this is a troubling decision for employers – in the sense that it exposes them to liability even where they’ve done very little wrong. The stricter regime under the forthcoming General Data Protection Regulation won’t ease employers’ minds either.

It probably goes without saying that this should encourage employers to review their information security procedures and consider how well they were protecting data from both internal and external threats.

There will be no decision on compensation until any appeal is heard. While individual compensation may be minimal (unless direct harm can be proved), when multiplied by thousands of claimants, the amounts could start to become very significant.