Supermarket held vicariously liable for employee deliberate data breach

Mr Skelton was a senior internal auditor employed by Morrisons plc. His role involved assisting external auditors by securely providing payroll data.  

In July 2013 he was subjected to disciplinary proceedings for an unrelated incident which resulted in a warning. 

The offence

Mr Skelton was aggrieved at the disciplinary action and downloaded payroll data to a USB stick and posted a file containing the personal details of around 100,000 employees on a file sharing website. The information was also sent to the media. The details included the employees’ names, addresses, dates of birth, phone numbers, National Insurance numbers, bank account details and salary details. In summary, enough information for identity theft.

Mr Skelton was convicted and sentenced to 8 years in prison for breaching the Data Protection Act 1998 (DPA) and the Computer Misuse Act 1990.

The Group Action

Over 5000 employees brought a group action against Morrisons seeking compensation for:

• Breach of the DPA
  
  
• Tort of misuse of private information
  
  
• Equitable claim for breach of confidence.

This sort of claim was not envisaged when the DPA was drafted but became possible two years ago when the Court of Appeal ruled that damages could be claimed without proof of monetary loss (Vidal-Hall v Google [2015] EWCA Civ 331). This enabled claims to be pursued merely on the basis of distress.

The claim was that Morrisons had primary liability for their own acts or omissions and vicarious liability for the actions of one of their employees which harmed his or her fellow workers.

Specifically, the employees claimed that Morrisons was a data controller at all relevant times in relation to the payroll data, and that the company was automatically and directly liable once it had been shown that the data was misused. In the alternative they claimed, that if the DPA did not impose strict liability, then Morrisons had fallen below the appropriate standards.

They also claimed that Morrisons had breached the seventh data protection principle which required it to take appropriate security measures against unlawful processing and loss of data.

Primary Liability

The High Court found that Morrisons was not primarily liable for the data breach as it did not directly misuse any personal data or authorise its misuse. Mr Skelton took on the role of data controller in respect of the misused data, made decisions about how and why the data was processed and he was the one that disclosed the data on the intranet.

In addition the Court found that Morrisons had on the whole put in place sufficient controls to protect data and even though Mr Skelton had previously faced disciplinary action, there was no suggestion that he could not be trusted to perform his role. 

The only minor point on which the Court found that there may not have been sufficient control mechanisms related to the deletion of the data from Mr Skelton’s computer. However the Court held that this would not have prevented Mr Skelton’s misuse of the data.

Vicarious Liability

Vicarious liability may arise without any fault on the part of the employer. Morrisons would be liable if Mr Skelton was acting in the course of his employment. There was strong arguments that he was not doing so as:

1. He was acting as a data controller himself;
   
   
2. He was not performing his duties as an employee when disclosing the data and using it himself;
   
   
3. The disclosure was intended to take revenge on Morrisons rather than to benefit it; and
   
   
4. He had used his own personal computer outside of working hours to leak the data.

However the Court held that there was “sufficient connection between the position in which Mr Skelton was employed and his wrongful conduct” and so he had acted in the course of his employment and therefore Morrisons was held vicariously liable for his actions. 

Morrisons had entrusted Mr Skelton with payroll data and it was not something that he obtained access to simply by being at work.  There was a seamless and continuous thread linking his work to the disclosure. His role was to receive the payroll data, store it and disclose it to KPMG as auditors. Even though his disclosure to others was not authorised, it was closely related to the tasks he was employed to perform.

The purpose of the DPA would be defeated if “at the moment an employee decides to misuse data to which his employer has given him access the employer ceases to be under any further liability, on the basis that the employee thereafter will be data controller in respect of the misuse”.

Judgment

The judgment concerned liability, not the amount of compensation.

The Court was concerned that Mr Skelton’s intention was to harm Morrisons and that its decision to hold Morrisons liable could “render the Court an accessory to furthering his criminal aims”. Therefore permission was given to Morrisons to appeal the findings on vicarious liability.

If any appeal is unsuccessful Morrisons will be liable to compensate the 5000 or so employees who brought the claim and probably the 95000 who have not yet claimed.  Even if compensation for distress is very modest per employee, the total cost could be significant.

What does this mean for you or your business?

• This case highlights the wide reaching implications of data protection legislation, establishing that organisations can be liable for breaches of the protection laws even when they are an intended victim of a breach.
  
  
• The principles of vicarious liability apply to data protection.
  
  
• An employer can be liable even if it took appropriate steps to protect the data.
  
  
• As group action litigation is becoming increasingly common in the UK and data protection legislation is becoming stricter the risk of claims in this area is increasing. Although individual claims may not be significant in value, when grouped together and pursued by hundreds or thousands of affected individuals the total claim can quickly become very large.
  
  
• The General Data Protection Regulation (GDPR) will replace the existing data protection regime in May 2018.  We do not consider that the GDPR either expressly or impliedly excludes vicarious liability so this ruling (subject to appeal) could set a bench mark for data protection breaches going forward.  As under the GDPR businesses will have an obligation to tell individuals about serious data breaches, this will effectively put them on notice that they have a potential claim which will likely increase the volume of claims.

What do you need to be doing now?

• Carefully select employees to limit the risk of liability for the wrongful acts of rogue employees.
  
  
• You could consider taking out insurance cover against the risk of group litigation as the judge in this case suggested.  This may be a sensible way to mitigate against risk.

These notes have been prepared for the purpose of articles only. They should not be regarded as a substitute for taking legal advice.