12 Nov 2018

The Court of Appeal has recently upheld the High Court decision that WM Morrison Supermarket plc (“Morrisons”) is vicariously liable for the deliberate data breach of its employee, Andrew Skelton.

This is arguably a “harsh” decision for two key reasons. Firstly, employers may now be liable for the misuse of personal data by a disgruntled employee irrespective of whether the employer themselves is compliant with its duties under data protection legislation. Secondly, the wrongful action itself was carried out by an employee who intended to harm the employer (not for any personal benefit), which means that by finding Morrisons vicariously liable, the Court is in effect advancing Mr Skelton’s aim.

Criminal conviction

The first report of the personal data breach in 2015 saw the criminal conviction of Mr Skelton who was a senior IT internal auditor at the time. Mr Skelton had, as part of a campaign of a series of actions designed to damage Morrisons, leaked the personal details (including salaries, National Insurance numbers, dates of birth and bank account details) of around 100,000 of Morrisons’ staff to various public data-sharing websites and newspapers. Mr Skelton was sentenced to eight years’ imprisonment. This, however, was not the end of the matter, as what followed was the first group action litigation of its kind in the UK, brought by more than 5,000 of Morrisons’ employees, whose personal data Mr Skelton had disclosed.

High Court decision

Extensive coverage of the High Court decision was published in December 2017. To summarise, the employees sought to claim damages from Morrisons in the High Court under the Data Protection Act 1998 (the “DPA”). The High Court held that Morrisons was not primarily responsible, as Morrisons was not controlling the purpose for which the data was (mis)used at the time of the data breach. However, there was a sufficient connection between the position in which Mr Skelton was employed and his wrongful acts, so as to make Morrisons vicariously liable.

Morrisons exercised its right to appeal the decision to the Court of Appeal.

Court of Appeal decision

The Court of Appeal unanimously upheld the High Court’s decision.

Practical and legal takeaways

The decision highlights some key practical and legal points for employers:

  • Vicarious liability: Vicarious liability is not excluded by the DPA. In other words, employers can be held vicariously liable for a deliberate personal data breach by an employee, if the breach is carried out in the course of employment. There need not be any intent or wrongdoing on behalf of the employer.
  • Wrongful actions to occur during the course of employment: As part of proving that the employer is vicariously liable, the employee is required to show that that the wrongful actions of the culpable employee occurred during the course of his or her employment with the employer. Morrisons contended this point on appeal. Morrisons submitted a number of credible arguments in advancing this point, including that; the disclosure of the personal details of the employees did not involve a work computer; the disclosure was not part of the work that Mr Skelton was required to do for Morrisons; that the breach occurred on a Sunday (a non-working day for Mr Skelton); and moreover the act in question was a personal act by Mr Skelton designed specifically to harm the employer. Despite this, the Court of Appeal confirmed that Mr Skelton’s wrongful action occurred during his employment with Morrisons. In addition, there is ample case law to support the employer being held liable for acts committed by an employee away from the workplace.
  • Insurance: The consequences of a successful group litigation of this nature can be very costly for the employer. In this case Morrisons could find themselves having to pay damages to more than 5,000 former and current employees (amount is to be determined separately). The Court of Appeal (rightly!) acknowledged this and practically advised that a resolution to such “catastrophes” would be for employers to insure against such losses which are caused by dishonest or malicious employees. However, this will of course depend on the effectiveness and scope of such insurance policies. In fact, this decision may well alert insurers to introduce exclusions and policy restrictions given the substantial costs associated with class actions. Whilst insurance may be an option for the larger employers, it may not always be a practical reality for the smaller employers with greater financial constraints.
  • General Data Protection Regulation (“GDPR”): This case was dealt with under the DPA as the personal data breach in question was before the GDPR came into force in May 2018. The GDPR will make it easier for such group actions to be brought given the increase in data subject rights under it. This coupled with the instant decision against Morrisons means there is likely to be in influx in these types of class actions in the event of personal data breaches in the context of employment too. In addition, any potential damages awarded could be much higher under the GDPR.

Prevention is (ideally) always better than cure. Employers should therefore consider what practical steps they may consider taking in connection with disgruntled employees, as part of any wider ongoing data compliance programme. This may include training to raise employee awareness about suspicious data-related behaviour. In addition, employers should consider if they need to protect themselves against potential misconduct on the part of disgruntled employees. For example, depending upon the circumstances, it may be an appropriate security measure to consider whether a disgruntled employee should continue to have the same access to confidential information. However, this must be balanced very carefully against the on-going duty of mutual trust and confidence between the parties and in particular any allegation that the employer’s actions (in limiting access to data) amounts to a breach of this duty.

It will also generally be more important, given the increased sanctions for employers, to ensure that their data systems comply with the core data protection principles under the GDPR. In the event of a personal data breach, the Court will examine in detail the technical and organisational measures the employer has in place which could have potentially prevented the breach from occurring.

Watch this space…

It is yet to be seen whether Morrisons will appeal to the Supreme Court and indeed what the outcome of any such appeal would be.

How can we help?

If you need advice on any of the issues raised above, whether it be a rouge employee at work who has access to particularly sensitive personal data or ensuring that your data systems comply with data protection legislation, then we are available to assist. Please do not hesitate to contact Razia Begum or Rachel Ashwood to discuss how we can assist you and your business.