Morrisons' Vicarious Liability for Data Breach Upheld

The data breach

The case centred on the actions of a senior IT auditor formerly employed by Morrisons, Mr Andrew Skelton,. During his employment at the supermarket, Mr Skelton copied the employee data of 99,998 Morrisons' employees onto a personal USB stick, and some months later (at his own home) posted the personal data on a file sharing website. Local newspapers were anonymously tipped of this serious data breach, who then alerted the supermarket, prompting the take-down of the website as well as criminal action against Mr Skelton. Mr Skelton was jailed for 8 years for offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (the "DPA").

The original claim against Morrisons

5,518 of the affected employees joined group litigation against Morrisons in the UK High Court alleging both primary and vicarious liability for: (i) misuse of private information; (ii) breach of confidence; and, (iii) breach of the DPA. 

Primary Liability

At first instance it was held that Morrisons was not directly liable in respect of any misuse of private information or breach of confidence, stating that it was Skelton "acting without authority and criminally". The Judge further held that it was Skelton, not Morrisons, who was the data controller at the time of the data breach.

In the judgment, 6 areas were identified where Morrisons - in its role as Skelton's employer, thereby facilitating Skelton obtaining the data - could have directly breached the seventh data protection principle, which requires "appropriate technical and organisational measures" to prevent the unlawful use of data ("DPP7"). Morrisons was deemed to have provided "adequate and appropriate controls" in every area save for managing the deletion of data. In any event, such a failure could not have prevented the data breach, and therefore Morrisons was also not primarily liable for the breach under the DPA.

Vicarious Liability

Morrisons was held to be vicariously liable under all three causes of action in relation to its employee's nefarious acts. It was Skelton's grudge against Morrisons that led the judge at first instance to grant permission to appeal, on the basis that the Court could be rendered an accessory to the original crime, the intended victim of which was the supermarket now being sued for the wrongful acts. 

Grounds of appeal

Morrisons appealed on three grounds: (i) the DPA excludes vicarious liability; (ii) the DPA excludes causes of action under misuse of private information and breach of confidence (whether directly or vicariously); and, (iii) the actions of Skelton did not occur during the course of employment, therefore Morrisons could not be held vicariously liable. 

Grounds 1 and 2

It was accepted at first instance that vicarious liability can apply to breach of statutory duty by an employee, unless expressly or impliedly indicated otherwise. Morrisons sustained on appeal that DPP7 excludes vicarious liability as it has the effect of imposing a primary liability on Morrisons for the wrongful act of its employees. The Court of Appeal considered the first ground as merely a "stepping stone" to the second and so did not deliberate at length on this point.

Morrisons' underlying argument on the first two grounds was focused on the DPA providing a comprehensive and specialist code that necessarily excludes other causes of action and remedies in relation to the wrongful processing of personal data. The supermarket argued – per Lord Dyson in R (Child Poverty Action Group) - that where the common law and statute cover the same remedies and there exists "substantial" inconsistency, then by "necessary implication" the common law must be excluded (as this would have been the intention of Parliament). The Court of Appeal however held that this is not the effect of the DPA, on the basis that there were no such substantial inconsistencies. Further, such a view would curtail the remedies available to data subjects, and is thus inherently misguided.

The Court identified three principal obstacles to Morrisons' position on grounds 1 and 2. Firstly, if Parliament had intended such significant "eradication" in the law, they would have expressly stated so. Secondly, there was obvious inconsistency in Morrison's concession that tortious and equitable causes of action operate in parallel with the DPA for the purposes of primary liability, whereas not in the case of vicarious liability.  Thirdly, the DPA is "only concerned with the primary liability of the data controller", and does not enter the field of secondary liability, therefore it cannot be said that Parliament had intended to restrict common law vicarious liability. 

Ground 3

The Court of Appeal provides a thorough overview of the central tenets of establishing vicarious liability, ultimately agreeing with the judge at first instance. Skelton was employed by Morrisons and specifically entrusted with payroll data, and there was a sufficient connection between his authorised tasks and the wrongful acts perpetrated by him. Morrisons' position that vicarious liability only applies when the employee is "on the job" was rejected; rather it was held that "there was an unbroken thread that linked his work to the disclosure: what happened was a seamless and continuous sequence of events".

In response to the concern of making the court an accessory in Skelton's vengeance against Morrisons, the Court applied Mohamud v WM Morrison, stating that the motive of the employee is irrelevant, and the present case was no exception. 

What does this mean for employers?

As the first case applying vicarious liability to data protection, Morrisons' failed appeal is one for employers across the board to take notice of. We are reminded that cyber-security is not limited to nullifying state actors and criminal hackers, but includes protecting against the internal threat of rogue employees. The decision is particularly notable in light of the ICO's conclusion, following its investigation into this case, that Morrisons had not breached the DPA and as such should not be fined.

The Court of Appeal specifically rejected Morrisons' public-policy argument that vicarious liability in similar scenarios imposes a disproportionate burden on supposedly "innocent" employers. The Court's strict stance in that regard should be viewed in conjunction with the possible increase in data protection-related group litigation now that the GDPR is in force. Employers should ensure that: (i) adequate safeguards are put in place to combat their own Skelton, including strictly applied codes of conduct, close monitoring of how sensitive data is handled, and even introducing indemnities into employment contracts as a financial deterrent to potential rogue employees; and, (ii) sufficient insurance policies are taken out in the event of "Armageddon" - as the Court put it.

To what extent are data controllers held vicariously liable exposed financially? Damages are to be assessed separately, so watch this space for updates…