Morrisons vicariously liable for deliberate data breach by "rogue" employee

Yesterday the Court of Appeal confirmed that the supermarket, Morrisons will have to pay damages to thousands of employees whose data was unlawfully shared by an employee, with a grudge against the company, even though it was not blamed for the breach and couldn't have taken any reasonable steps to stop it.

This decision confirms that businesses can be held responsible for data breaches by their staff, even where they act without authority.

Background

Mr Skelton was a senior IT internal auditor employed by Morrisons.  He was given an oral warning for misusing his employer's postal facilities. To get his own back, he copied data containing information about nearly 100,000 members of staff, which he (anonymously) then placed on a file sharing website.

The data consisted of the names, addresses, gender, dates of birth, phone numbers, national insurance numbers, bank sort codes, bank account numbers and salary details of the staff.

A couple of months later Mr Skelton, clearly peeved that no-one appeared to have discovered the breach, anonymously sent a copy of the data to three newspapers. The newspapers notified Morrisons and, within a few hours, the website was taken down and the police informed.

Mr Skelton was convicted of fraud, an offence under the Computer Misuse Act 1999 and under section 55 of the Data Protection Act 1998. He was imprisoned for eight years.

The claims

Over 5,500 employees brought a joint action against Morrisons seeking damages for the misuse of their personal information. None appeared to have suffered any direct financial loss.

They alleged that Morrisons’ was primarily liable forthe breach and, alternatively, it was vicariously liable for the wrongfulconduct of its employee.

The High Court said that Morrisons was not responsible for the breach. Mr Skelton had access to data in his role as a data controller; it had no reason to doubt his trustworthiness and had proper procedures in place to make sure that data was handled properly.  Despite this, the company was vicariously liable for the deliberate and criminal breaches of payroll data.

Decision of Court of Appeal

Morrisons' argued that employers cannot be held vicariously liable for the actions of its data controller under the Data Protection Act 1998 and/or it should not be held responsible for his deliberate and criminal actions.

The Court of Appeal said that companies can be held vicariously liable for data breaches of their staff if their job involvesprocessing data and there is a "close connection" between this and their wrongful conduct.  

Mr Skelton was data processor, deliberately entrusted with payroll data. His job was to receive, store and disclose the data to the company auditors. Although he chose to act unlawfully, his actions were "closely related" to what he was employed to do. 

Morrisons could not escape liability purely because Mr Skelton's motive was to cause financial or reputational damage to its employer. 

Implications

In recent years, there have been many significant data breaches caused by corporate system failures or staff negligence. The court acknowledged that its decision in this case could result in claims for damages for "ruinous amounts".

To avoid this, it suggested that businesses insure against losses caused by dishonest or malicious employees. 

Whilst this seems a harsh decision, there are lessons that can be learnt here surrounding how data is stored and what checks and balances can be put in place. Businesses should also check their insurance policies cover this type of loss and upgrade these if necessary.

Would the decision have been decided differently under GDPR?

According to our data protection experts, Mr Skelton would have still committed an offence under section 170 of the new Data Protection Act 2018 which came into force in May.

The GDPR is a bit more detailed in respect of what a controller must consider when assessing security, but it takes the same high level risk based approach (i.e. its for the controller to self-assess). Therefore, we doubt the position would have been materially different under GDPR. This suggests that Morrisons' would be unlikely to be held directly responsible for the breach.  However, the position with regard to vicarious liability is likely to be unchanged.

Need more information? 

Please contact our expert Glenn Hayes: glenn.hayes@irwinmitchell.com or 44 (0)113 218 6484.

Our fixed price employment law service

If you are interested in finding out about how we can support you with our fixed-fee annual retainer, or flexible discounted bank of hours service, please contact Rachel Hetherington: rachel.hetherington@irwinmitchell.com or: 44 (0)121 203 5355 for a no obligation quote.

Morrisons says it will appeal a decision that leaves it facing a "vast" compensation bill for a data leak.”