Nefarious liability? Boost for employers as Morrisons succeeds at the Supreme Court

Employers and data controllers breathed a collective sigh of relief as the Supreme Court decided yesterday that Morrisons should not be vicariously liable for claims relating to a data breach perpetrated by a (now former) disgruntled employee seeking to damage the supermarket chain.
  How did we get here?

The underlying facts, and the previous decisions, are summarised in our posts on the High Court action here, and Morrisons' first, unsuccessful, appeal here.
Very briefly:

• Andrew Skelton was employed as an internal auditor. In 2014, having been subjected to a disciplinary sanction for questionable use of the company post room, he sought to exact revenge by extracting and publishing the payroll data of over 100,000 colleagues.
• Mr Skelton was jailed for offences under the Data Protection Act 1998 (DPA 98). A group of over 9,000 staff members affected pursued a group legal action against Morrisons to recover damages for distress caused.
• Initially the High Court found that, although Morrisons was not directly responsible for claims relating to the breach, it had vicarious liability for the actions of Mr Skelton. That finding was upheld in the Court of Appeal in 2018.
• The Supreme Court heard Morrisons' further appeal in November 2019 and handed down its judgment yesterday (1 April 2020).

What was decided?

The Supreme Court judges unanimously upheld Morrisons' major ground of appeal – determining that vicarious liability does not extend to cover the actions of Mr Skelton.
In doing so, they emphasised a number of factors, including:

• Mr Skelton's motivations - he was pursuing a vendetta and was deliberately attempting to harm Morrisons; and
• That, while he was authorised to access and disclose the data to certain people as part of his job, disclosure more broadly was not "an act he was authorised to do".

What does this mean and what should employers do?

The starting point is that this is good news for employers. There were legitimate concerns that, had the Supreme Court decided differently, employers would be exposed to significant liabilities where damage had been caused by rogue employees acting without authorisation and with the intent to harm their employer.
However, we would strongly advise against complacency. In many cases involving a similar breach, employer controllers would be directly liable for failing to take appropriate steps to safeguard the data – including by failing to have measures in place to prevent its access and distribution by staff members. Of course, unauthorised disclosures more often than not happen because of employees' negligence or mistakes, rather than deliberate acts. In those circumstances, the employer controller would still likely be vicariously liable for the consequences of any breach. It is easy to envisage a slightly different set of facts resulting in a wholly different outcome, and a potentially eye-watering damages order against Morrisons. In addition, we are seeing a trend for data subjects affected by breaches to coordinate their claims in collective actions (including litigation similar to US-style opt-out class actions).  While on this occasion the group did not succeed, we don't expect the Supreme Court's decision to dampen enthusiasm for these group claims, which can present a considerable threat to data controllers.  A separate development this week in the representative action against Equifax may be more influential.
Of course, that means that it remains important for employer controllers to take proactive steps to protect against and mitigate key risks here, including through:

• development or refinement of policies and guidance around staff access to and use of data including, for example, acceptable use policies and, particularly pertinent at the moment, remote working / own device policies;
• assessing risks primarily caused by the "insider" (employee) threat in other areas, including threats to staff and consumer safety and discrimination and harassment risks; ensuring appropriate policies and guidance are in place and clearly communicated;
• appropriate, engaging and evidenced programmes of training, to ensure staff understand the network of policies and the standards expected of them;
• auditing and tightening up access controls in respect of personal and other confidential information; and
• having in place appropriate monitoring tools to allow for prevention and detection of potential data breaches, remembering to properly assess the risk to staff members' privacy before installation. A good starting point here is to remember that blocking is preferable to logging, and so employers should lock down USB ports and prevent access to unauthorised webmail platforms and filesharing sites before utilising logging tools to alert managers to atypical downloading behaviours.

We intend to publish a more in-depth analysis of this decision and what it means for employer controllers in due course but if you would like specific advice on the implications, are dealing with a similar action or simply want to make a start on the development of an appropriate policy and training framework, you can reach out to the authors or our other market-leading experts in data disputes, employment and/or privacy.