In a group action claim for data theft, the Court of Appeal has upheld an earlier decision that the Morrisons supermarket (Morrisons) was vicariously liable for the criminal actions of a rogue employee who publically released personal data about Morrisons’ staff, irrespective of the fact that Morrisons had taken what the court considered to have been appropriate steps to mitigate the risk of criminal actions.
The Claimants’ claim arose from the actions of Andrew Skeleton. Mr Skeleton was a senior IT internal auditor employed by Morrisons who began to harbour a grudge following a disciplinary hearing in which he received a verbal warning for his conduct. Having been tasked with providing Morrisons’ external auditor with confidential employee data – including Morrisons’ payroll data – he copied and uploaded the data to a file sharing website and provided copies to three newspapers. One of the newspapers alerted Morrisons. Mr Skeleton was arrested and charged with fraud, an offence under the Computer Misuse Act 1990 and under Section 55 of the Data Protection Act 1998 (DPA) and later sentenced to eight years imprisonment.
The Claimants (5,518 Morrisons’ employees) issued a group action against Morrisons seeking damages for misuse of private information, breach of confidence and breach of statutory duty, arguing that, in failing to prevent the breach, Morrisons were directly liable for the misuse of private information and breach of confidence, or alternatively were vicariously liable for the conduct of Mr Skeleton.
At first instance, the Court rejected primary liability for misuse of personal information or breach of confidence, finding that Morrisons did not directly misuse or authorise or carelessly permit the misuse of information personal to employees.
However, the Court held that there was a sufficient connection between the position in which Mr Skeleton was employed and his wrongful conduct, put into the position of handling and disclosing the data as he was by Morrisons, to make it right for Morrisons to be held vicariously liable.
There were three grounds of appeal: (1) that on its proper interpretation, the DPA excludes the application of vicarious liability; (2) that the DPA excludes causes of action under misuse of private information and breach of confidence (whether directly or vicariously); and (3) the wrongful acts did not occur during the course of Mr Skeleton employment and Morrisons were not vicariously liable for those acts.
In respect of the first two grounds, a central plank of Morrisons’ position was that as the DPA already provides a comprehensive statutory code for the wrongful processing of personal data, it expressly or impliedly excludes any scope for liability on an employer for the wrongful processing of personal data by an employee, whether the data controller is the employer or the employee, and as such vicarious liability could not attach. The Court of Appeal was not, however, persuaded by that argument.
As to the third ground, the Court of Appeal took the opportunity to restate the key requirements of establishing vicarious liability, namely:
Upholding Langstaff J’s first instance finding that “there was an unbroken thread that linked his work to the disclosure: what happened was a seamless and continuous sequence of events”, the Court of Appeal felt that the requirements to establish vicarious liability were satisfied, finding in favour of the group claimants.
This case is the first that we are aware of which applies the concept of vicarious liability to instances of data breach, and the Court of Appeals’ decision is one that all employers should be aware of, with the Court expressly recognising that this decision could lead to a large number of claims being brought against employers for data breaches.
How then to protect against such liability? Removing the risk entirely is unlikely to be possible, but putting in place robust data protection systems, obtaining insurance policies against such eventualities, and establishing a structure on how to deal with data breaches in advance, whether through legal or technological means, would certainly be a sensible precautionary measure.