Employers’ Liability where a Data Breach was Caused by an Employee
On 22nd October 2018 the Court of Appeal delivered its judgement in the case of WM Morrison Supermarkets PLC v Various Claimants. This was an appeal by Morrisons against the decision of Mr Justice Langstaff sitting at the High Court who held that Morrisons were vicariously liable for the criminal actions of their disgruntled employee, Mr Skelton.
How Did the Court Hold the Employer Vicariously Liable?
Without the authority of his employer, Mr Skelton had improperly retained a copy of personal data of his co-employees, which he posted on a file sharing website and also posted links to the site on other websites. He subsequently sent CDs containing the personal data to three newspapers. The personal data in question was the names, addresses, genders, dates of birth, bank account details, phone numbers, national insurance numbers and salaries of almost 100,000 Morrisons’ employees.
Within a few hours of being notified of the breach, Morrisons had ensured that the website had been taken down and had notified the police. After a police investigation, Mr Skelton was charged and thereafter convicted of fraud, one offence under the Computer Misuse Act 1990 and another offence under section 55 of the Data Protection Act 1988 (‘the DPA’). He was sentenced to a term of eight years’ imprisonment.
Civil proceedings were brought against Morrisons by 5,518 employees for damages and interest for the misuse of private information, breach of confidence and breach of statutory duty, owed under section 4(4) of the DPA.
The Court of Appeal found “…the causes of action for misuse of private information and breach of confidentiality are not excluded by the DPA in respect of the wrongful processing of data within the ambit of the DPA, and the complete absence of any provision of the DPA addressing the situation of an employer where an employee data controller breaches the requirements of the DPA, lead inevitably to the conclusion that the Judge was correct to hold that the common law remedy of vicarious liability of the employer in such circumstances (if the common law requirements are otherwise satisfied) was not expressly or impliedly excluded by the DPA.”
The Court of Appeal agreed with the judge at first instance that there was an unbroken thread that linked Mr Skelton’s work to the disclosure; what had happened was a seamless and continuous sequence of events.
The judges noted that in this case, the claimants had not suffered any financial loss, but if they had done so, their only remedy, if Morrisons were not held to be vicariously liable, could be to seek a remedy against Mr Skelton. But employers can insure against losses caused by dishonest or malicious employees, and whilst this was not a reason for imposing liability, it was a valid argument against the ‘Doomsday or Armageddon’ argument advanced by counsel on behalf of Morrisons.
Morrisons have indicated that they will appeal to the Supreme Court.
What Does this Judgement Mean for Employers?
The Data Protection Act 1988 has now been replaced by GDPR and the Data Protection Act 2018. As this does not explicitly exclude vicarious liability, the Morrisons case will remain current law in England and Wales under the new data protection legislation, which means that employers can still be held vicariously liable for the wrongful acts of their employees.
An employer can take steps to try to limit their liability by ensuring that there are proper policies and procedures, staff training and checks and balances in place, and to take steps as soon as a breach is discovered. Such actions helped Morrisons to avoid primary liability for the breach.
As the Court of Appeal judges stated, the employer may also be able to insure against this risk. An insurance company is likely to want to know what steps an employer has taken to avoid such a breach, such as pre-employment checks together with those set out in the above paragraph.