In October, the Court of Appeal handed down its much awaited decision in WM Morrison Supermarkets PLC v Various Claimants  EWCA Civ 2339, upholding the High Court’s ruling that Morrisons was vicariously liable for the malicious leak of personal data about its workforce by a disaffected employee. The judgment contains both good news and bad news for employers: the good news is that a deliberate breach by a rogue employee does not inevitably mean you have failed to meet your security obligations under the GDPR. The bad news, however, is that you may still be liable to those affected by the breach.
At the time of the incident (in 2014), the employee was one of the company’s senior IT internal auditors. After taking exception to disciplinary action taken against him by Morrisons for an unrelated incident, he uploaded the payroll details (including bank details) of almost 100,000 Morrisons employees on a file sharing website, attempted to “frame” another colleague and then anonymously “tipped off” three national and local newspapers just before the company’s annual accounts were due to be released in 2014.
When informed of the breach, Morrisons had the information taken down within a matter of hours. The former employee was convicted of fraud and offences under the Computer Misuse Act 1990 as well as the Data Protection Act 1998 (the “DPA”), and was handed an 8 year custodial sentence. To date, no evidence has been submitted to show that any of the affected employees suffered financial loss as a result of the incident. Nevertheless, individuals had a right to seek compensation for damage or distress arising from a breach of the DPA, and these proceedings were brought by around 5,000 of those employees under a Group Litigation Order.
In the Court of Appeal both Morrisons and the claimants accepted that the employee had, as a result of his actions, become an independent data controller for the purposes of the DPA. Further, the claimants argued that the actions of the employee amounted to a breach of confidence and/or misuse of their private information. As Morrisons was not the relevant data controller under the DPA at the time that the breach occurred, and could also not be directly liable for claims of breach of confidence or misuse of private information, the central issue became whether Morrisons could be vicariously liable for the actions of the rogue employee. This turned upon whether vicarious liability was available for claims of the type brought under the Group Litigation Order, and whether the actions of the employee were sufficiently connected to his employment.
The Court of Appeal held unanimously that:
- Contrary to submissions made by Morrisons, the common law remedy of vicarious liability had not been expressly or impliedly excluded by the DPA in respect of claims brought under the legislation or under actions for breach of confidence or misuse of private information. In other words, the DPA left those areas of law unaffected.
- For the purposes of vicarious liability, the “field of activities” entrusted to the employee included the handling of confidential information, such as the payroll data, on a daily basis. The High Court had been right to conclude that there was “an unbroken thread that linked his work to the disclosure: what happened was a seamless and continuous sequence of events”. This was despite the fact that the employee had “leaked” the data by uploading it from his home computer during a weekend, some weeks after he properly had reason to access it in the workplace.
What can we learn from this judgment?
Protecting the business against rogue or negligent employees, or against accidents!
In the High Court it was held that the disciplinary process carried out with respect to the employee (which resulted in a formal verbal warning) would have given Morrisons no reason to consider that the employee could not be trusted. It was also noted that technology available at the time, in 2013/2014, could not have “prevent[ed] the risk posed by a rogue employee who was trusted and had given no reason to doubt his trustworthiness”.
As technology and methods of employee monitoring evolve, organisations should consider how measures can be implemented to reduce the risk presented by routine tasks, or disgruntled employees. However, employee monitoring will not necessarily be the most appropriate area of focus and can give rise to its own risks – excessive, unjustifiable monitoring could itself breach the privacy rights of employees. An employer must strike a proportionate balance between reducing risk, and encroaching on the privacy rights of employees.
Data breaches in recent years have shown that human errors, such as including a recipient in the “CC” instead of “BCC” line of an email, can give rise to liability if the nature of the information concerned is sufficiently sensitive. While it will not be possible to prevent all breaches, there may be simple steps that can be taken to guard against more obvious risks (for instance, preventing information being downloaded onto portable media devices).
An ounce of prevention
Generally, prevention is better than a cure in cases of employee errors or malicious acts. Data access controls and permissions will become more critical and “work-arounds” carried out without formal scrutiny should be avoided. The situation in Morrisons appears to have arisen partly due to the limitations of the IT system which prevented the emailing of the payroll data required by Morrisons’ external auditors, which led to a physical “work-around” – the downloading onto an encrypted company USB - allowing the rogue employee a greater opportunity to subsequently retain a copy of the data.
Dealing with the financial implications of liability under data protection legislation
As might be expected, submissions appear to have been made by Morrisons that finding vicarious liability on the facts of the case would lead to the imposition of potentially vast and “ruinous” (in the words of the Court of Appeal) amounts of damages. The court was sympathetic but not swayed by these arguments, noting that if there was no vicarious liability then victims would have no remedy except against the employee personally. The solution to these “Doomsday or Armageddon” arguments put forward on behalf of Morrisons was, the court said, “to insure against such catastrophes”.
Morrisons’ liability in this case arose from the processing of payroll data, which is common to all organisations. This suggests that cyber insurance is coming of age and should no longer be considered the preserve of companies that carry out “high risk” processing, are consumer-facing or perform outsourced functions on behalf of clients. Every company with employees is legally responsible for personal data and this is capable of giving rise to significant liability, particularly under the General Data Protection Regulation (the “GDPR”).
Vicarious liability has its roots in public policy and fairness. While the case brought against Morrisons did not make new law as far as the doctrine of vicarious liability is concerned, the judgment illustrates how accidental or even intentional breaches of data protection law can give rise to liability.
Claims for data misuse/breach
There has been much commentary – triggered by the advent of GDPR – about how there is likely to be a rise in class action type proceedings by or on behalf of groups of individuals where there has been a breach of data protection legislation.
In fact, as this case shows, the English court rules already allow this type of claim to be brought, either by large groups of claimants seeking a “group litigation order” or via the existing rules on representatives bringing a claim on behalf of a class of individuals. However, these tend to be difficult claims to get off the ground: the English jurisdiction seems reluctant to open the gates to large class-style actions in all but the clearest cases. In that sense the Morrisons case, brought under the DPA, seems to be an exception. It remains to be seen whether the explicit references in the GDPR to representative actions (Article 80) and to the ability to seek damages even where no financial loss has occurred (Article 82) will mean that corporates do now face an increasing risk of litigation.
The Court of Appeal made no criticism of Morrisons in its judgment, finding that the company had, by and large, taken the steps required to discharge its own responsibilities as a data controller under the DPA. The significance of the judgment is therefore that it demonstrates the scope of liability that can arise when a relatively untested cause of action (such as that under the DPA) is combined with long-established common law principles (such as vicarious liability). The case is likely to be considered in due course by the Supreme Court.