Various Claimants v WM Morrisons Supermarket plc
On Friday 1 December 2017, the High Court handed down the eagerly anticipated judgment on liability in this group action, brought by over 5,000 Morrisons employees.
The outcome – the Court held that a data controller can be held to be vicariously liable for the actions of a rogue employee, even where it exercised adequate and appropriate controls.
In January 2014, Mr Skelton, who was an employee of Morrisons, leaked 99,998 employees' records online. This included employees' names, addresses, dates of birth, phone numbers, National Insurance numbers, bank account details and salary details. In short, sufficient information for identity theft.
The information was shared on various websites and sent to the media. The media notified Morrisons, who were able to remove the information the following day.
The reason that Mr Skelton had access to this personal information was as a result of his role as a senior IT auditor, tasked with compiling and passing the information securely to an external auditor.
In July 2015, Mr Skelton was convicted of fraud, offences under the Computer Misuse Act 1990 and the Data Protection Act 1998.
Subsequently, over 5,000 employees brought a group action (under a group litigation order) against Morrisons, seeking compensation for:
Although the precise reasons for Mr Skelton's actions are unclear, it was suggested in the trial that this was as a result of a grievance he had relating to previous disciplinary action against him.
This is a common law principle whereby an employer can be held liable for the acts of its employees carried out in the course of employment.
As can be seen from this case, it is not necessary for there to be wrongdoing on the part of the employer.
The principle exists to provide a secondary remedy to individuals who have suffered harm, and where there is unlikely to be any recourse against the wrongdoer.
This is the first case in nearly 20 years, since the inception of the DPA, to question whether vicarious liability can arise under the DPA where an employee has deliberately misused data with which he was entrusted.
Data breaches are becoming an increasingly large problem for businesses, especially with the availability and portability of digital data. A report by IBM demonstrated that, in 2016, of the reported security incidents, 58% were caused by insiders, with 5% of those being malicious.
Therefore, for the courts to find that the employer can be liable, notwithstanding that it took appropriate steps to protect the data, will be of concern to many businesses.
Morrisons have been given leave to appeal, and it is anticipated that they will do so. Not least because the case will set a precedent, meaning that the remaining 95,000 affected by the breach could bring separate claims for compensation.
This trial was only to review liability with quantum still to be decided. However, with large scale data breaches even modest damages awards per head could lead to substantial pay-outs. Further, such breaches will shake confidence in businesses, potentially leading to a reduction in share value.
From a practical perspective, if this decision is upheld, it means that if a data breach occurs, businesses increasingly need to be thinking about preparing defences to any claims for damages as well as complying with their regulatory obligations and potential regulatory fines.
On a final note, the General Data Protection Regulation (GDPR) is set to replace the existing data protection regime on 25 May 2018. This will not have retrospective effect. However, like the DPA, we do not consider that the GDPR (or the current draft Data Protection Bill which will make provisions for how it is applied in the UK), either expressly or impliedly excludes vicarious liability, meaning that this ruling (subject to appeal) could set the bench mark for data protection going forward. In addition, under the GDPR, businesses will have an obligation to tell individuals about serious data breaches, which would effectively put them on notice that they have a potential claim and will likely increase the volume of claims.
Contributors: James Tithecott, Emily Black and Alanna Tregear
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at December 2017. Specific advice should be sought for specific cases. For more information see our terms & conditions