In early 2014 details of 99,998 employees of Morrisons, including names, contact and bank details, were posted on a file sharing website. Within days, Andrew Skelton, a Senior IT Auditor employed by Morrisons, was arrested. Mr Skelton had been disciplined and suspended in connection with an unrelated incident some months earlier. In what appears to be an act of retribution against Morrisons, he copied the business' HR records onto a personal USB stick before uploading the information online. He was later charged and convicted of Computer Misuse and breach of the Data Protection Act and sentenced to 8 years imprisonment.
Subsequently, the affected employees at Morrisons commenced the UK's first ever Group Action for breach of the Data Protection Act. In a judgment handed down this week, the court found that Morrisons were vicariously liable for the acts of Mr Skelton.
In considering the merits of the case against Morrisons, the Court accepted that the systems in which data was held by businesses would always have imperfections and that there would always be risks associated with user error, or, as in this instance, acts of malice. Although the Court held that the larger the organisation the more it could be expected to spend on protecting data, ultimately there would always be a risk posed by rogue employees. On this basis, it held that Morrisons had not directly breached the DPA for a number of reasons including that it had adequate data safeguards in place.
However, the court went on to find against Morrisons on the basis that it was vicariously liable for Mr Skelton's actions. Mr Skelton was an employee, acting in the course of his employment, having been placed in a position where he had the means to access, and thereafter copy, the data in question. His role at Morrisons was sufficiently closely connected to his unlawful acts to make Morrisons vicariously liable for them.
The court accepted that the intention of Mr Skelton's acts was to harm Morrisons and in adjudging it vicariously liable the Court was, in an indirect way, assisting Mr Skelton in achieving his goal. For this and other reasons, Morrisons had been granted permission to appeal the finding of vicarious liability.
This judgment may expose Morrisons, and other businesses, to significant liabilities even when they may have done little wrong. This is exacerbated by the ruling in Vidal-Hall v Google that allows data subjects to generally claim distress damages; a head of claim that is not usually available. This makes it much easier to find a group of potential Claimants who all have at least some recoverable loss following a security breach as all of them may be able to claim at least some level of distress.
The question is whether the combination of these two rulings, plus the stricter regime under the new General Data Protection Regulation, may encourage other Group Actions in response to privacy breaches.