A concerning case for employers came out of the High Court at the start of this month. In a case which has the potential to open the door to large-scale actions by affected data-subjects, the court in Various Claimants v Wm Morrisons Supermarket PLC held for the first time that employers can be vicariously liable for data protection breaches by employees.
With the GDPR imposing mandatory data breach reporting requirements on employers and encouraging group litigation claims, this case could have serious ramifications for employers, which are considered below. For a detailed analysis of the case and its implications, Ian De Freitas and David Morgan have produced a full article available here.
Here is what happened:
- A senior IT auditor at Morrisons, Andrew Skelton, was responsible for delivering payroll data to Morrisons' external auditors on a USB stick. The data included employees' names, dates of birth, addresses, national insurance numbers and details of salary and bank accounts.
- Mr Skelton reportedly had a grudge against his employer for an earlier, unrelated disciplinary incident. In an act intended to damage Morrisons, he uploaded the payroll data of 99,998 Morrisons' employees to a file sharing website.
- The personal data had been uploaded outside of work premises, from a personal computer that was not used for work and outside of working hours.
- Morrisons was found to have taken appropriate technical and organisational measures in relation to its data (e.g. the USB stick had been encrypted and it was appropriate to trust the individual with the task of delivering data in this way).
As a result of the data leak, and in the first UK group action case involving a data breach, 5,518 employees brought a claim against Morrisons for distress-based damages (following the Court of Appeal's judgment in Vidal-Hall v Google  in which it was held that a claimant did not need to show financial loss in order to seek compensation for a data protection claim).
The Judge found that Morrisons itself was not legally at fault and so was not directly liable for the data breaches. However, this is of small comfort to employers, given that the Judge concluded Morrisons could still be vicariously liable for the actions of Mr Skelton. This is the first time an employer has been held vicariously liable in such circumstances.
As a reminder, in employment law employers can be held liable for the acts of its employees if those acts are carried out "in the course of employment". On the face of it, it might be hard to see how this would apply in the case of Mr Skelton who was acting criminally and without authority, in his own time and outside of work.
However, the court found that there was a "sufficient connection" between the position in which Mr Skelton was employed and his wrongful conduct. This was on the basis that he was an employee when he received the data and his role was to receive the payroll data, store it and disclose it to a third party. The fact he chose to disclose it to an unauthorised third party did not break the "thread that linked his work to the disclosure".
Impact for employers
This case illustrates what we sadly already know, that rogue and disgruntled employees can cause significant damage to employers. Seemingly the world of data security is now another means for them to do so, since compliance with accepted data security standards no longer appears to offer a defence to claims by affected individuals. Instead, this case has the potential to impose something akin to strict liability on employers – it was not enough that Morrisons had discharged its obligations to take all necessary steps to protect the personal data of its employees.
It is hard to know what to advise employers as a result of this case. It goes without saying that it is essential to ensure your data protection policies and procedures are robust, and that your preparations for the introduction of the GDPR on 25 May 2018 are up to speed (if you would like to read more about the GDPR and how HR can prepare for it, see here). The introduction of the GDPR is likely to be a good time to remind employees about their personal duties in relation to data protection – perhaps use the opportunity to mention as a deterrent that Mr Skelton was sentenced to 8 years in prison for his actions!
Potentially one message to take away from this case is that the Judge emphasised that Morrisons "deliberately entrusted" Mr Skelton with the payroll data and put him in a position where he was regularly in receipt of information which was confidential or had limited circulation (ie the information in question was not data to which he just had access). In doing so, the Judge found Morrisons took the risk that they might be wrong in placing its trust in Mr Skelton, which contributed to the vicarious liability finding.
One possible implication of this is that simply having access to information, as opposed to being "entrusted" with it, may not be sufficient to satisfy the test of vicarious liability. As a result, employers may want to review who among their workforce they "entrust" with personal data, and consider whether any additional checks and balances in those situations are advisable to try to counter the effects of this judgment.
Finally, it should be mentioned that Morrisons has said it will (not surprisingly) appeal this decision. The small glimmer on the horizon is that the High Court Judge was clearly troubled by the fact that Mr Skelton's actions were deliberately intended to hurt Morrisons and the effect of the vicarious liability finding essentially assists that criminal intention. Let's see what the Court of Appeal makes of all this.