The UK Court of Appeal has recently upheld the High Court decision that WM Morrison Supermarket plc (“Morrisons”) is vicariously liable for the deliberate data breach of its employee, Andrew Skelton.
By Rachel Ashwood and Razia Begum, Taylor Vinters
This is arguably a “harsh” decision for two key reasons. Firstly, employers may now be liable for the misuse of personal data by a disgruntled employee irrespective of whether the employer themselves is compliant with its duties under data protection legislation. Secondly, the wrongful action itself was carried out by an employee who intended to harm the employer (not for any personal benefit), which means that by finding Morrisons vicariously liable, the Court is in effect advancing Mr Skelton’s aim.
The first report of the personal data breach in 2015 saw the criminal conviction of Mr Skelton who was a senior IT internal auditor at the time. Mr Skelton had, as part of a campaign of a series of actions designed to damage Morrisons, leaked the personal details (including salaries, National Insurance numbers, dates of birth and bank account details) of around 100,000 of Morrisons’ staff to various public data-sharing websites and newspapers. Mr Skelton was sentenced to eight years’ imprisonment. This, however, was not the end of the matter, as what followed was the first group action litigation of its kind in the UK, brought by more than 5,000 of Morrisons’ employees, whose personal data Mr Skelton had disclosed.
High Court decision
Extensive coverage of the High Court decision was published in December 2017. To summarise, the employees sought to claim damages from Morrisons in the High Court under the Data Protection Act 1998 (the “DPA”). The High Court held that Morrisons was not primarily responsible, as Morrisons was not controlling the purpose for which the data was (mis)used at the time of the data breach. However, there was a sufficient connection between the position in which Mr Skelton was employed and his wrongful acts, so as to make Morrisons vicariously liable.
Morrisons exercised its right to appeal the decision to the Court of Appeal.
Court of Appeal decision
The Court of Appeal unanimously upheld the High Court’s decision. The decision highlights some key practical and legal points for employers:
- Vicarious liability: Vicarious liability is not excluded by the DPA. In other words, employers can be held vicariously liable for a deliberate personal data breach by an employee, if the breach is carried out in the course of employment. There need not be any intent or wrongdoing on behalf of the employer.
- Wrongful actions to occur during the course of employment: As part of proving that the employer is vicariously liable, the employee is required to show that that the wrongful actions of the culpable employee occurred during the course of his or her employment with the employer. Morrisons contended this point on appeal, however despite this, the Court of Appeal confirmed that Mr Skelton’s wrongful action occurred during his employment with Morrisons.
- Insurance: The consequences of a successful group litigation of this nature can be very costly for the employer. In this case Morrisons could find themselves having to pay damages to more than 5,000 former and current employees (amount is to be determined separately). The Court of Appeal (rightly!) acknowledged this and practically advised that a resolution to such “catastrophes” would be for employers to insure against such losses which are caused by dishonest or malicious employees.
- General Data Protection Regulation (“GDPR”): This case was dealt with under the DPA as the personal data breach in question was before the GDPR came into force in May 2018. The GDPR will make it easier for such group actions to be brought given the increase in data subject rights under it.
Take away points
Prevention is (ideally) always better than cure. Employers should therefore consider what practical steps they may consider taking in connection with disgruntled employees, as part of any wider ongoing data compliance programme. This may include training to raise employee awareness about suspicious data-related behaviour. In addition, employers should consider if they need to protect themselves against potential misconduct on the part of disgruntled employees.
It will also generally be more important, given the increased sanctions for employers, to ensure that their data systems comply with the core data protection principles under the GDPR. In the event of a personal data breach, the Court will examine in detail the technical and organisational measures the employer has in place which could have potentially prevented the breach from occurring.
Click here to see the full list of updates.