Case update (1): Data protection – Who’s liable for breach?

Summary:  Can an employer be vicariously liable (i.e. responsible) for the criminal actions of a rogue employee in breach of the Data Protection Act?

Yes, says the High Court, in Various Claimants v Wm Morrisons Supermarkets plc available here.

Facts:  The employee, Andrew Skelton, was a Senior IT Auditor at the employer, Morrisons. In 2013, he had received a verbal warning for a matter unrelated to the present case. Mr Skelton did not agree with the level of sanction he received and decided to damage Morrisons.

In November 2013, KPMG were carrying out an audit of Morrisons payroll data. Mr Skelton did not normally have access to payroll data, which was limited to a handful of “super-users”.  The data was usually stored on a secure internal environment created by software known as “Peoplesoft”.

However, in order to help KPMG, the IT internal audit team, including Mr Skelton, was asked to gather all the data requested by KPMG.  Accordingly, the payroll data was extracted from Peoplesoft and transferred to Mr Skelton’s laptop via a USB drive. Mr Skelton provided KPMG with the information they had requested, but retained a copy.

On 12 January 2014, a file containing personal details of nearly 100,000 Morrisons employees was posted on a file sharing website. Shortly afterwards, links to the website were placed elsewhere on the web. The data consisted of personal data (e.g. names, addresses, dates of birth, salaries, bank details etc).

On 13 March 2014, a CD containing a copy of the data was received by various newspapers in the UK. The newspapers did not publish the data and Morrisons was informed of the data breach. Within a few hours Morrisons had taken steps to ensure the website had been taken down. It also alerted the police.

On 19 March 2014, Mr Skelton was arrested. He was later sentenced to 8 years in prison for offences arising from disclosing Morrisons’ employees’ personal data. At Mr Skelton’s criminal trial there was no doubt that it was the previous verbal warning that caused Mr Skelton to act as he did.

Subsequently 5,518 Morrisons’ employees, whose data was disclosed, brought claims against Morrisons for compensation under 1) the Data Protection Act 1998 (DPA); 2) common law for the misuse of private information; and 3) in equity for breach of confidence. These claims were made on the basis that Morrisons was primarily liable for its own acts and omissions and vicariously liable for the actions of Mr Skelton that harmed his fellow workers.

High Court decision

The High Court held that Morrisons was not primarily liable for the data breach as it had generally put adequate controls in place to protect the data and its one error in this regard didn’t cause or result in the data breach.

However, the High Court said Morrisons was vicariously liable for Mr Skelton’s actions. It held that the DPA does not exclude the possibility of vicarious liability and that an employer can be vicariously liable for the actions of employees in relation to data breaches. Mr Skelton had received and copied the personal data during the course of his employment and Morrisons was vicariously liable for his acts.

The High Court found that “there was an unbroken thread that linked [Mr Skelton’s] work to the disclosure: what happened was a seamless and continuous sequence of events” even though the disclosure itself did not occur on a company computer or during working hours.

Implications:  This is an important finding as it means that employers can still be liable vicariously even though they had correct policies and procedures in place to train employees and protect personal data. I.e. avoiding liability is not simply a case of demonstrating that appropriate measures have been implemented in accordance with data protection legislation.

Given the potentially significant number of victims who may seek damages for distress following a data breach, the implications for employers are substantial. With the General Data Protection Regulation (GDPR) coming into force in May 2018, the implications of data breaches for employers will become even more significant (see our updates on the GDPR here).

Employers should be alert to potential liabilities in this area and review employee monitoring practices as well as recruitment and training measures. For employee driven “inside jobs”, employers will want to consider how to limit risk, as they may be liable for employee criminal behaviour regardless. While companies may already have insurance in place in respect to breaches of the DPA, this should be re-examined in light of this decision and the GDPR.

Given the significance of this issue, Morrisons has been given leave to, and is, appealing against this decision.  We’ll keep you up to date on this so watch this space…