Morrisons NOT vicariously liable for employee data protection breach says UK Supreme Court
Morrisons NOT vicariously liable for employee data protection breach says UK Supreme Court
Firstly – This is legal information of general interest and does not constitute legal advice of any kind.
On April 1, 2020, the UK Supreme Court today handed down their judgement in the case of WM Morrisons Supermarkets plc (Appellant) v Various Claimants (Respondent), case UKSC 2018/0213. The Supreme Court unanimously ruled that Morrisons were not vicariously liable for the actions of a rogue employee misusing personal data that had been legitimately provided to the employee in the course of their employment.
“No vicarious liability arises in the present case. Skelton was authorised to transmit the payroll data to the auditors. His wrongful disclosure of the data was not so closely connected with that task that it can fairly and properly be regarded as made by Skelton while acting in the ordinary course of his employment.”
The ruling will most likely be a sigh of relief to employers across the UK who could have found themselves having to fight expensive class-action lawsuits should they themselves fall victim to a rogue employee deliberately breaching the Data Protection Act. This should not mean, however, that organisations should become complacent, however, as this case covered the requirements of the old Data Protection Act (1998). The new Data Protection Act (2018), which is the UK translation of GDPR introduces stricter requirements for the control of personal data. Whilst vicarious liability may be less of concern following this landmark ruling, there are still lessons to be learned!
Back in November 2013, an Internal IT Auditor at the Supermarket chain Morrisons downloaded payroll data onto a personal USB stick and took it home. A few months later, whilst still employed the Auditor uploaded the data onto a file-sharing site and then to a group of newspapers. It appears the auditor was motivated by a grudge against the supermarket chain relating to a disciplinary hearing that he felt was unfair. He was subsequently found guilty of a number of offences (fraud, securing unauthorised access to computer material and disclosing personal data) and sentenced to 8 years jail time.
5000+ Morrisons’ employees, then issued a claim against the supermarket for damages. The claimants asserted that as the IT Auditor was an employee of Morrisons, the supermarket is vicariously liable for his actions.
In the High Court  EWHC 3113 (QB), Judge Langstaff ruled Morrisons were not directly liable but were liable vicariously. He also determined that the Data Protection Act (1998 version at the time) did not impose direct liability on an employer. Morrisons, however, appealed the lower courts decision to the Appeals Court  EWCA Civ 2339.
The central issue appealed, was “whether an employer is liable in damages to those of its current or former employees whose personal and confidential information has been misused by being disclosed on the web by the criminal act of another employee, who had a grudge against the employer, in breach of the Data Protection Act 1998 (“the DPA”) and in breach of that employee’s obligation of confidence.” the court was also asked to opine whether the unlawful acts were sufficiently closeness in proximity to the normal field of activities performed by the IT Auditor in the course of their everyday employment, specifically because unauthorised disclosure of the payroll data took place months after copying and were disclosed on a Sunday, at home and from a personal computer.
The Appeals court upheld the decision of the lower court confirming that Morrisons was vicariously liable for the torts committed by Mr Skelton against the claimants stating “the common law remedy of vicarious liability of the employer in such circumstances (if the common law requirements are otherwise satisfied) was not expressly or impliedly excluded by the DPA.” and “employers [in other cases] have been held vicariously liable for torts committed away from the workplace.“
Having been given the opportunity to appeal once more to the Supreme Court, Morrisons did just that. The Supreme Court was asked to decide on two questions:
- Whether the Data Protection Act 1998 (‘the DPA’) excludes the application of vicarious liability to a breach of that Act, or for misuse of private information or breach of confidence
- Whether the Court of Appeal erred in concluding that the disclosure of data by the appellant’s employee occurred in the course of his employment, for which the appellant should be held vicariously liable
In answer to question one, the supreme court ruled:
“The appellant’s argument that liability is excluded unpersuasive. Imposing statutory liability on a data controller like Skelton is not inconsistent with the co-existence of vicarious liability at common law, whether for breach of the DPA or for a common law or equitable wrong, as the DPA says nothing about a data controller’s employer. It is irrelevant that a data controller’s statutory liability under the DPA is based on a lack of reasonable care, while vicarious liability for an employee’s conduct requires no proof of fault. The same contrast exists at common law between, for example, an employee’s liability in negligence and an employer’s vicarious liability. It makes no difference that an employee’s liability may arise under statute instead.”
In respect of question two, the decision was that:
“No vicarious liability arises in the present case. Skelton was authorised to transmit the payroll data to the auditors. His wrongful disclosure of the data was not so closely connected with that task that it can fairly and properly be regarded as made by Skelton while acting in the ordinary course of his employment. On long-established principles, the fact that his employment gave him the opportunity to commit the wrongful act is not sufficient to warrant the imposition of vicarious liability.”
Employers can also become a victim of a data breach
Let’s not forget that, in addition to the employees, Morrisons itself was also a victim of their employee’s actions. The ICO had found that Morrisons had done what they needed to in terms of their obligations under the DPA 1998 but still face this legal action because its employees were also separately victims. It’s one of those strange cases which will no doubt be discussed for a long time to come. This absurdity of justice, where a victim pays for a crime committed against them is one of the main reasons each court gave permission to appeal. Justice Langstaff said in the original case: “…the point which most troubled him in reaching his conclusions was the submission that the wrongful acts of the IT Auditor were deliberately aimed at the party whom the claimants sought to hold responsible, such that to reach the conclusion he had might seem to render the court an accessory in furthering IT Auditor’s criminal aims.” This time the court ruled in Morrisons’ favour but a future case could reopen that argument.
Employees can become Data Controllers in their own right
One of the interesting things to come out of the cases (from High Court all the way up to the Supreme Court) is that should an employee copy data for their own purposes, they then become the Data Controller for that copy. They could then be liable directly under the Data Protection Act 2018 (GDPR) for any unlawful processing relating to that copy. This provides an avenue for those Data Subjects to seek a remedy directly against the employee…although the likelihood of getting any meaningful amount of compensation from a private citizen is pretty low. This is why the ruling is so surprising because it has the effect of reducing the remedy available to Data Subjects as a result of rogue employees abusing data entrusted to the employee’s company.
What does the ruling mean for my business?
The key takeaways for businesses are whilst employers may not vicariously liable for an employee deliberately breaching the UK Data Protection Act, a security breach of the kind described in this case is still a reputational nightmare and is likely to attract regulatory scrutiny. Even if the organisation is not found to be in breach of the DPA directly (which the ICO determined in the Morrisons case), employers could still be exposed to legal risk. This case left open the question of the potential for vicarious liability where the employee was engaged in furthering his employer’s business for example.
This means it is still incumbent upon employers to ensure they have put in place appropriate technical and organisational measures to reduce the insider threat. Simply trusting employees is not enough. There are plenty of measures that were available at the time of the Morrisons incident that, had they been implemented, could have reduced the extent damage to Morrisons as an employer. Many of the controls are actually built into common operating systems and email environments. Some key questions business leaders should be asking are:
- Detection: What monitoring do we do? Would it have picked up this type of security breach? If it does, how long after the breach would a human be notified? Have we exercised an incident of this type to confirm the effectiveness of our controls?
- Prevention: Have we controls to prevent data leakage across all potential exit points (e.g. Web services, Cloud Apps, Email, FTP, USB, Cut & Paste)? Does everybody with access to egress data need that access, is the business case documented and signed off?
- Trust: Do we assume our security and audit staff are inherently trustworthy? Are the security staff within scope of monitoring programmes? Does our organisation increase monitoring of employees based on their role and level of access?
- Risk Management: Does our Data Leakage Prevention programme account for the increased risk of new employees (who don’t yet know the rules and may accidentally breach data protection principles); employees who have been disciplined (who may become disgruntled and deliberately breach data protection principles) and; leaving employees (who within their notice period send themselves data, such as client contact details, to get a head start in their next role)? Is our security investigations process integrated with our HR disciplinary processes?
These are some of the key questions but there are more. If you or your organisation would like help with identifying the gaps in your Data Leakage Prevention (DLP), Incident Management or Security Monitoring programmes Fox Red Risk can help. Get in touch to find out how we can help!
About Fox Red Risk
Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing controls frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.
22301:2019 article 25 article 28 awareness bcms breach change management ciso controller cybersecurity data breach data privacy Data Protection data protection by design data protection officer data protection service Data Subject Access Request DPO DSAR GDPR incident management information security leadership management operational resilience Outsourced DPO Privacy processor resilience risk risk appetite risk management ROI security security as a service small business soc strategic strategy Subject Access Request training transparency vciso virtual ciso vulnerability scanning