The most recent round of litigation in the Morrisons data breach litigation ended in success for Morrisons at the Supreme Court. The headline ruling was that Morrisons was not vicariously liable for the acts of a rogue employee who stole and distributed employee data. The decision will be of interest to organisations and cyber insurers alike in the context of liability for data breaches.
In 2013 Mr Skelton, a disgruntled employee of Morrisons, maliciously copied and later published online the payroll records of approximately 100,000 employees. Skelton was later convicted of various offences and sentenced to 8 years imprisonment. 9,000 of the affected employees have brought claims against Morrisons alleging that it breached the Data Protection Act 1998 in failing to keep their personal data secure.
In 2017 the High Court accepted that Morrisons was not directly responsible for Skelton's dissemination of the employee data as Morrisons ceased to be the data controller once the data was taken by Skelton without authorisation. This decision was in line with past ICO guidance and long understood privacy practice.
As data controller, Morrisons was still responsible for ensuring that there were adequate organisational and technical measures to secure its employee data before it was taken by Skelton. The High Court found that Morrisons had adequate safeguards in place, save in one respect – that it did not have a system for ensuring that employee data was promptly and routinely destroyed after being copied by an employee for a legitimate reason (which Skelton initially did). However, the Court went on to say that even if such a safeguard had been in place, it would not have stopped Skelton then taking a further copy of the data without authorisation for his own purposes. That would appear to make it difficult for the Claimants to mount a claim for substantive losses on this basis.
However, the High Court also found that Morrisons was vicariously liable for Skelton's actions. The argument was that Skelton became a data controller when he acted without authority, Skelton clearly breached the DPA and Morrisons were vicariously liable for the acts of Skelton as its employee under ordinary common law principles. This effectively imposed DPA liabilities on Morrisons by an alternative route.
The High Court acknowledged that this was a very difficult decision as it potentially put the law on vicarious liability in conflict with the core framework of the DPA, namely that organisations are only legally responsible for data under their control – and yet Skelton was plainly not under Morrisons' control. The Court had also in effect assisted Skelton in his objective which was to hurt Morrisons. The High Court ultimately adopted a simple reading of the law, which concluded that there was nothing in the DPA that excluded the common law on vicarious liability and so those principles had to be applied.
Morrisons appealed to the Court of Appeal but the appeal was dismissed on substantially the same grounds as the High Court. And so the case moved on to the Supreme Court, which was all but the inevitable final destination. As Lady Hale commented at the end of the hearing, this was one of the most fascinating cases she had heard as a Judge.
The Supreme Court
Morrisons appealed to the Supreme Court on two issues, namely:
- Whether the Court of Appeal erred in concluding that the disclosure of data by Skelton occurred in the course of his employment, for which the appellant should be held vicariously liable; and
- Whether the DPA excludes the application of vicarious liability to a breach of that Act, or for misuse of private information or breach of confidence.
The Supreme Court allowed Morrisons' appeal, finding that Mr Skelton's actions did not amount to vicarious liability. The act of wrongfully disclosing data was not closely connected with his authorised activities. It was not an action with the intention of furthering his employers' business, but rather an action pursuing a personal vendetta.
While immaterial to the success of Morrisons' appeal, the Supreme Court provided guidance in respect of the second point of the appeal, namely the potential conflict between the DPA and vicarious liability. The Court found that the DPA did not exclude the imposition of vicarious liability. The Court considered that data protection legislation was intended to increase, not lessen, the protection afforded to personal data.
Further, it was held, the DPA did not expressly or impliedly exclude the principle of vicarious liability where an employee commits a breach of a statutory obligation sounding in damages while acting in the course of his employment. The statutory liability on a data controller was not considered inconsistent with the co-existence of vicarious liability at common law, with the Court commenting that "Since the DPA is silent about the position of a data controller’s employer, there cannot be any inconsistency between the two regimes".
This decision may dampen the spirits of those looking to bring class action claims for data breaches. The technical legal points are specific to this case. But undoubtedly a litigation funder will have sunk a substantial amount of money into supporting this litigation and is now unlikely to see a return on that investment. Nevertheless, other data-related class actions are ongoing (see Lloyd v Google) and the trend towards mass claims in this space is only growing.
The Supreme Court's decision does however have practical implications for organisations:
1. Be vigilant
Organisations are now vulnerable to claims brought as a result of the malicious actions of employees. Morrisons were able to defeat these claims due to Skelton going so far outside of his role and by having adequate safeguards in place to control the use of data by its employees (and so avoided direct liability under the DPA).
There is however a fine balance to be struck between the protection of personal data and the rights of employees not to be subject to intrusive monitoring. Organisations need to ensure that they are fully aware of the rights and obligations on both sides.
2. Check insurance cover
Organisations should check the terms of relevant insurance policies and make sure that it provides cover against a the range of risks which may be presented, to include malicious acts of those within the organisation itself, along with any other foreseeable risks. This litigation took 5 years to reach the Supreme Court and it has been over 6 years since the original data breach. The legal costs incurred by Morrisons in that time must have been significant, as will have been the time and effort of the business dealing with reputational issues and communications with existing staff.
Organisations should consider whether they have appropriate insurance policies in place, providing protection against threats, both internal and external. As additional breach circumstances arise organisations will need to review the policies they hold, to determine whether they are covered against similar risks, updating insurance policies as and when they are alive to threats not covered by their existing policies.