Morrisons loses its challenge over data breach liability – an important judgment for employers

The Court of Appeal recently upheld the High Court's decision that Morrisons is vicariously liable for a data breach carried out by one of its employees over 4 years ago. The decision is a reminder that an employer may be held liable for the malicious actions of a rogue employee, besides highlighting the increasing threat of group actions for cyber and data breaches.

The Court of Appeal recently upheld the High Court's decision that Morrisons is vicariously liable for a data breach carried out by one of its employees over 4 years ago. The decision is a reminder that an employer may be held liable for the malicious actions of a rogue employee, besides highlighting the increasing threat of group actions for cyber and data breaches.

Background

We previously reported on the background to the case and the High Court's decision here.

To recap, Andrew Skelton, an internal auditor at Morrisons, became disgruntled after receiving a verbal warning for workplace misconduct. In November 2013, he copied the payroll data of almost 100,000 staff onto a USB stick and two months later uploaded the data to a public file sharing site. Morrisons, on being alerted to the data breach, took swift action to remove the information from the site. Mr Skelton was charged and sentenced to 8 years imprisonment for fraud and offences under the Computer Misuse Act 1990 and section 55 of the Data Protection Act 1998 ("DPA 1998").

Meanwhile, a group of 5,518 employees launched a claim against Morrisons, alleging various breaches of the DPA 1998 as well as breach of confidence and misuse of private information. A Group Litigation Order was granted, making this the first employee class action in the UK for a data breach.

The appeal

Last year, the High Court found that Morrisons had not breached the DPA 1998 or its common law duties but was vicariously liable for the full extent of Mr Skelton's criminal conduct. Morrisons appealed the decision on the following grounds:

1. the DPA 1998 excluded the application of vicarious liability under common law;
2. the DPA 1998 also excluded the application of common law causes of action for breach of confidence and misuse of private information and/or the imposition of vicarious liability for breaches of the same; and
3. Mr Skelton had not been acting in the course of his employment when he carried out the breach and Morrisons could not be vicariously liable.

Grounds 1 and 2

The Court considered grounds 1 and 2 together. Both were based on the same argument that the DPA 1998 was specialist legislation that provided a comprehensive code for the wrongful processing of personal data and, as such, expressly or impliedly excluded an employer's liability for wrongful processing by one of its employees where the employee was acting as the data controller.

Morrisons pointed to the fact that the DPA 1998 did not itself impose strict liability on a data controller. Instead, under the seventh data protection principle a controller was required to take “reasonable steps” to ensure the reliability of employees who had access to personal data and, furthermore, could not be liable for compensatory damages if they had taken "such care as in all the circumstances was reasonably required" to prevent a breach. To impose strict liability on an employer who was not a controller for the faults of an employee who was a controller would be, Morrisons argued, inconsistent with this fault-based regime.

The Court disagreed, however. Firstly, it said, the DPA 1998 did not expressly exclude common law remedies in the wording of the statute and Morrisons had itself accepted that Mr Skelton was liable under both the DPA 1998 and common law. Secondly, the difference between the fault-based liability that the DPA 1998 imposed on an employer controller and the strict liability imposed on an employer for the conduct of its employees merely reflected the position under common law. As such, imposing vicarious liability in this circumstance was consistent with well-founded principles of English law.

Ground 3

The Court then considered whether Morrisons should be held vicariously liable on the facts of the case. It applied a two-part test outlined by the Supreme Court in Mohamud v Wm Morrison Supermarkets plc [2016] AC 667:

1. what functions or "fields of activity" were entrusted by the employer to the employee - i.e. what were Mr Skelton's responsibilities?; and
2. was there was a sufficient connection between the employee's role and their wrongful conduct to make it right for the employer to be held liable - i.e. was Mr Skelton acting in the course of his employment when he carried out the breach?

The answer to the first question was fairly straightforward: Mr Skelton's role had been to receive the payroll data, to store it and to disclose it to a third party (the external auditor). Morrisons had deliberately entrusted him with those tasks and accepted the risk that he would abuse his position.

The answer to the second question came down to the facts of the case. Morrisons argued that Mr Skelton's act of copying the data onto the USB stick was "past history" by the time he disclosed it two months later. However, the Court considered that Mr Skelton's wrongful conduct had actually begun when he first copied the data and that nothing had occurred in between that time and the eventual disclosure that fundamentally changed the nature of the employer-employee relationship. As a result, there was a sufficient connection between his employment duties and his wrongful conduct to impose liability.

The Court did acknowledge that Mr Skelton's ultimate aim had been to cause harm to his employer and that by finding Morrisons liable for those same actions the Court was, in one sense, furthering his criminal objectives. However, it emphasised that motive is not relevant to vicarious liability and an exception could not be applied in this case.

Morrisons have announced their intention to appeal to the Supreme Court.

Comment

While data controllers may have been encouraged by the High Court's recent dismissal of the "You Owe Us" claim against Google, this ruling is a warning of the real and increasing threat of group actions for wrongful processing, including data breaches. It is also a reminder that an employer may be liable for the acts of its employees, even those carried out maliciously to harm the company itself.

Under the current law, the EU GDPR (General Data Protection Act 2016/679) and the UK Data Protection Act 2018, it is in fact easier for individuals to bring claims for data breaches. This, coupled with a rising awareness of data protection amongst the public, has increased the risks of litigation.

In their final comments, Lord Justices Bean and Flaux pointed to the availability of insurance to protect against malicious data breaches. However, insurance is not the silver bullet. Employers need to take a holistic approach ensuring, for example, that:

• they have properly vetted staff, particularly where they require access to confidential information;
• they have clear, easily understood and relevant policies, which are regularly updated and communicated to all staff;
• employees have been trained on information security rules and requirements;
• they act to prevent (rather than seek to cure) data loss, by applying protocols which prevent indiscriminate access to and copying of sensitive information to personal devices; and
• they are able to (in accordance with their data protection obligations) recognise and act decisively when alerted to potentially inappropriate access or copying.

Fieldfisher has considerable expertise in employment, data protection and cyber security. If you need help identifying gaps in your policy framework or dealing with a potential breach, please do not hesitate to contact either our Privacy, Security & Information team or our Employment & Pensions team.