On 22 October 2018, the Court of Appeal handed down its judgment in the appeal by supermarket Morrisons against the High Court's decision that it was vicariously liable for the acts of a rogue employee.
This is the first data leak class action in the UK and involves more than 5,000 employees. Read our summary of the decision and the key points you need to know.
In January 2014, Mr Skelton, an employee of Morrisons with a grudge against the company, intentionally leaked 99,998 employees' records online. This included employees' names, addresses, dates of birth, phone numbers, National Insurance numbers, bank account details and salary details.
The information was shared on various websites and sent to the media. The media notified Morrisons, who worked to remove the information the following day.
Subsequently, over 5,000 employees brought a group action (under a group litigation order) against Morrisons, seeking compensation for:
On 1 December 2017, the High Court handed down its judgment and held that whilst Morrisons was not primarily liable/directly at fault for the data breach, but, despite it having exercised "adequate and appropriate controls", it was vicariously liable. The Court was, however, concerned that Mr Skelton's intention was to harm Morrisons and that its decision to hold Morrisons liable could "render the Court an accessory to furthering his criminal aims". Therefore, the Court granted Morrisons permission to appeal the decision on vicarious liability.
Morrisons appealed on three grounds:
The Appeal was heard on 9 and 10 of October before the Master of the Rolls, Lord Justice Bean and Lord Justice Flaux. On 22 October 2018, the Court of Appeal handed down its judgment upholding the High Court decision that Morrisons was vicariously liable for the breach. In summary:
Morrisons have indicated that they intend to appeal the decision to the Supreme Court.
The decision has the following key practical points:
Businesses will already have needed to invest significant funds into preparing for the implementation of GDPR in May 2018. Following the decision an employer will remain vicariously liable for the acts of an employee in breaching data protection legislation, further investment will be required in AI technology to help protect against potential breaches and data loss prevention (particularly in large organisations).
Businesses will also need to consider changes to policies and procedures to help minimise the risks of data breaches. Where sensitive data is involved, policies may need to be changed to limit the number of employees with access to this information and set strict guidelines as to how it is to be used and shared. HR policies may also need to be reviewed in situations where an employee raises a grievance, particularly where that employee holds a position with access to significant data.
There is likely to be additional training required for HR teams, senior managers and supervisors to help identify the areas of risk within a business and to ensure effective management of employees handling data.
In response to arguments raised on behalf of Morrisons of the potentially huge financial impact the decision could have on innocent employers, the Court of Appeal simply referred to the option to take out insurance to cover these circumstances. This may be an additional cover businesses need to consider.
However a data breach occurs the impact this can have on a business's reputation could be significant and wide ranging. Many companies that have suffered a data breach see a significant impact on share price and customer loyalty. It is important a business has appropriate plans in place to ensure that, should a breach happen, it is able to comply not only with its regulatory requirements (ICO reporting) but also minimise the negative impact on reputation and customer confidence.
In nearly 20 years since the inception of the DPA, this is the first case to question whether vicarious liability can arise where an employee has deliberately misused data. In reaching the conclusion the trial Judge showed some hesitance as he acknowledged that, in finding Morrisons liable, this might be seen to render the Court an accessory to furthering Mr Skelton's criminal acts. It was for this reason he gave permission to appeal.
Businesses will find the Court of Appeal's decision concerning as the finding cements the position that, even in circumstances where an employer has appropriate controls in place and is considered "innocent", they could still be liable for the acts of a rogue employee. Whilst businesses can put in place procedures and policies to help protect against these risks, in reality it will be nearly impossible to fully protect a business against the acts of a determined disgruntled employee. It seems inevitable that the Supreme Court will hear an appeal on such an important point of law but, for now, employers face this additional risk and burden and this is likely to be an area of attention for claimant firms and claims management industry.
For more information, please contact Richard Hayllar (Partner) or Alanna Tregear (Associate).
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at October 2018. Specific advice should be sought for specific cases. For more information see our terms & conditions.