The recent Court of Appeal decision in the case of Wm Morrisons Supermarkets Plc v Various Claimants shows that employers may now be vicariously liable for data breaches caused by the deliberate acts of rogue employees, even where the employer is otherwise compliant with data protection legislation.
Facts of the Morrisons case
Mr Skelton, a senior internal IT auditor employed by Morrisons, developed a grudge against his employer after he was disciplined for using Morrisons’ postal facilities for personal mail.
Months later, Morrisons tasked Mr Skelton with transferring data to Morrisons’ external auditors as part of the statutory audit process. He was given access to the payroll data of Morrison’s entire workforce (120,000 people) for this purpose. Unbeknownst to Morrisons, Mr Skelton copied the data onto a personal USB stick and took it home. Some weeks later, whilst at home at the weekend, he posted the data onto a file sharing website from his personal computer. He used the details of another employee in an attempt to frame him. Two months later, Mr Skelton sent a CD of the data to three newspapers with a cover letter purporting to be from a concerned person who had discovered the data on the file sharing website.
The newspapers did not publish the information but informed Morrisons, who swiftly took down the data from the website and alerted the police. Mr Skelton was then charged with fraud, an offence under the Computer Misuse Act 1990 and section 55 of Data Protection Act 1998 (DPA) for the unlawful obtaining of personal data. He was sentenced to eight years imprisonment.
The Information Commissioner’s Office investigated Morrisons and found they were not in breach of the DPA.
Of the 100,000 employees whose data was disclosed, some 5,500 brought a group claim (the first of its kind in the UK) against Morrisons. This High Court claim was for misuse of private information, breach of confidence and breach of the DPA. The claimants claimed that Morrisons was either primarily liable or vicariously liable for Mr Skelton’s wrongful acts.
The High Court found that Morrisons had not directly misused or permitted the misuse of any personal information and was therefore not primarily liable in that respect. The Court also dismissed the claim under the DPA 1998. In determining whether Morrisons was in breach of the DPA, the court looked at the seventh data protection principle requiring “appropriate technical and organisational measures” to be taken against “unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”. The court concluded that Morrisons had taken “adequate and appropriate controls” and were not liable under the DPA.
The High Court did however conclude that Morrisons was vicariously liable for the data breach. There was a sufficient connection between the position in which Mr Skelton was employed and his wrongful conduct to justify holding Morrisons vicariously liable for his actions.
The judge did grant the right to appeal as he was concerned that in giving the judgement against Morrisons, the court may be furthering the criminal aims of Mr Skelton to cause damage to Morrisons.
Morrisons appealed to the Court of Appeal on the grounds that:
- The DPA excludes vicarious liability for the misuse of private information and breach of confidence.
- It could not be vicariously liable as the actions of Mr Skelton did not occur during the course of his employment.
The Court of Appeal rejected the appeal. It concluded that the DPA does not exclude vicarious liability. If the intention of parliament was to exclude liability, as argued by Morrisons, it would have expressly said so. Furthermore, exclusion of the liability is not consistent with the principal aim of the DPA to protect privacy and excluding liability would leave no effective remedy for its infringement.
The Court of Appeal considered that Morrisons should be vicariously liable for Mr Skelton’s actions as they were in the course of his employment. This was despite the fact that he had carried out the unlawful actions at home, on a non-working day, weeks after he had been given access to the data for work purposes and had deliberately concealed what he had done with a deliberate intention to damage Morrisons. The Court concluded that the motive behind the criminal act was irrelevant and that Mr Skelton's actions at work and the disclosure on the internet was a seamless and continuous sequence of events.
Damages are to be assessed separately, but they could be significant with a claimant cohort of 100,000 people.
Morrisons has expressed that it intends to take the case to the Supreme Court. In the meantime businesses are advised to seek to follow the suggestion of the Court of Appeal to insure against the risks posed by rogue employees. Given this decision, it may be difficult to find insurance to cover these risks in their entirety.
In addition, it is advisable to consider the inclusion of indemnities in contracts with subcontractors and service providers for data protection breaches by them and/or their employees.