On December 1, 2017, the High Court of England and Wales found the fourth-largest supermarket chain in the UK, Wm Morrisons (“Morrisons”), vicariously liable for a data breach caused by the intentional criminal actions of one of its employees, namely the leaking of payroll information online.
The breach affected almost 100,000 Morrisons employees and the action, brought by 5,518 former and current employees, is considered to be the first of its kind in the United Kingdom. The data compromised in the breach included personal data such as names, addresses, and bank account details.
In March 2014, payroll data relating to almost 100,000 Morrisons employees was disclosed on a file-sharing website by a disgruntled Morrisons employee (“Mr. Skelton”). Mr. Skelton had been entrusted by Morrisons with the data for the purpose of facilitating account auditing. He copied the dataset onto a personal USB drive and posted it to a file-sharing website. He was found to be criminally liable for the breach and was imprisoned for eight years for fraud, securing unauthorized access to data, and disclosing personal data.
A legal action seeking damages on behalf of 5,518 former and current Morrisons employees whose data was leaked was premised on Morrisons being either directly liable or vicariously liable for Mr. Skelton’s acts. The action alleged that Morrisons had committed a breach of statutory duty under the Data Protection Act 1998, among other things.
The High Court held that Morrisons was not directly liable for the breach. The judgment states that where a corporation “is in no sense responsible for authorising or requiring” the breach and the employee is acting against the employer’s wishes in committing the breach, the liability may be vicarious but not direct (para. 49).
The High Court ruled that vicarious liability under the Data Protection Act 1998 may be applicable notwithstanding the fact that the Data Protection Act does not expressly refer to it. Citing past case law (Majrowski [2006 UKHL 34]), the High Court held that employers can be vicariously liable for the actions of their employees where an employee commits a breach of statutory obligations, while acting in the course of his employment, unless legislation expressly or impliedly indicates otherwise. Moreover, the High Court reasoned that vicarious liability could further the legislative purpose of the Data Protection Act: to protect the rights of data subjects.
On the facts of the case, the High Court found Mr. Skelton to have been acting “in the course of employment”, adopting a broad interpretation of the scope of employment (consistent with past case law: Bazely v Curry [1999 174 D.L.R. 4th 45], Lister [2001 UKHL 22] and Mohamud [2016 UKSC 11]). Accordingly, Morrisons was held to be vicariously liable.
In addition to the central issue of vicarious liability, the High Court addressed a number of other issues, including:
- Security standards. The High Court clarified that the fact that a level of security is available but has not been implemented does not — by itself — amount to a failure to reach an appropriate standard. Applying a balancing test is necessary. The High Court found that Morrisons had violated the security principle of the Data Protection Act 1998 by not having a policy for deletion of data held outside its normal secure repository. However that violation did not cause any loss nor did it enable Mr. Skelton’s breach. On the facts of the case, therefore, the High Court found that Morrisons did provide “adequate and appropriate [security] controls”.
- Employee monitoring. The High Court considered routine employee monitoring as needing justification on an individual basis. Active monitoring is not the norm in businesses such as Morrisons and may be deemed unnecessary in the context of its business.
Unhelpfully, the High Court did not resolve the dispute as to the burden of proof. In other words, it remains unclear whether a claimant needs to prove a violation of the Data Protection Act 1998 or whether the defendant needs to prove that its arrangements were appropriate.
The ruling could have widespread implications for employers and potentially lead to more actions of this kind. The ruling means that employers that may not have directly or actively breached their data protection obligations under UK data protection legislation may nonetheless be held to be vicariously liable for an employee’s acts, notwithstanding that the employee acted independently and that it was not unreasonable for the employer to entrust the employee with the data. Further, this liability is, apparently, not diminished by the fact that the employee’s acts were deliberate and specifically intended to cause harm to the employer (as was the case on the facts for Morrisons and Mr. Skelton).
Interestingly, and at the end of the judgment, the judge indicated that he was “troubled” by the ruling as it could be interpreted as furthering the criminal aims of Mr. Skelton, specifically his aim to hurt his employer, Morrisons. The judge recognized that the issues raised were suitable for consideration by a higher court. Reports indicate that Morrisons will appeal.
This is reportedly the UK’s first data protection “class action”, a trend which may increase from May 2018 when the EU General Data Protection Regulation rules come into force, including those contemplating collective actions for redress in respect of data breaches. That Regulation makes use of the EU concept of “undertaking” which in the competition law context has led to parents being held liable for the acts of their wholly owned subsidiaries.