Morrisons Supermarkets plc have been held liable to 5,518 of their employees for a deliberate data breach by a rogue employee, Andrew Skelton.
Skelton had been employed by Morrisons as a senior IT auditor. In the course of his duties he was required to collate employee data for Morrisons’ external auditors.
Unknown to his employer, Skelton extracted a copy of the data for himself, consisting of the names, addresses, gender, date of birth, phone numbers, national insurance numbers, bank sort codes and bank account numbers of 99,998 Morrisons employees. He later uploaded this copy data onto a file sharing website. The data remained public for two months before Morrisons were alerted to the situation and took steps to prevent access to the data.
Skelton was convicted in subsequent criminal proceedings and sentenced to 8 years’ imprisonment for offences under the Computer Misuse Act and the Data Protection Act. In sentencing, the Crown Court observed that Skelton had uploaded the data owing to a grudge that he bore the company following an earlier disciplinary warning. The disciplinary warning had been unrelated to data security issues.
The later High Court judgment concerns Morrisons’ civil liability to its employees.
“Primary” liability under the Data Protection Act 1998 (“DPA”)
First, the court considered whether Morrisons itself had any “primary liability” to compensate its employees for the data breach under the DPA. Subject to one exception which was found to be irrelevant to the question of liability, the judge held that Morrisons had operated appropriate control mechanisms for data security under the DPA.
Similarly, having reviewed the evidence, the judge held that no-one else at Morrisons knew or ought to have known prior to the breach that Skelton was not to be trusted with data.
The company therefore had no “primary” liability to its employees for the breach.
Once Skelton unlawfully copied the data for his own purposes he became a data controller under the DPA in his own right of the copy data on the memory stick. He had then breached his own duties under the DPA. The second aspect of the judgment concerns whether Morrisons were “vicariously” liable for Skelton’s breaches as his employer, despite the company itself not being “at fault”.
The judge was satisfied that Skelton’s actions were sufficiently closely connected to his employment that the legal tests for vicarious liability were satisfied. He also held that the DPA did not exclude the possibility of vicarious liability.
However the judge was most troubled by the argument that in finding Morrisons liable, the court was in effect rendered an accessory to Skelton’s criminal aim of damaging the company. The judge has granted permission to appeal the finding, and media reports suggest that Morrisons will appeal.
What should organisations do?
Aside from any appeal, the court has not yet ruled on what each employee’s claim is worth. Organisations should ensure that appropriate data security measures, policies and procedures are in place and followed to help ensure that they have a defence to a primary liability claim. Organisations should also check whether their current insurance arrangements will meet potential compensation claims (for primary and secondary liability) arising from a data breach. The Morrisons claims were advanced both under the DPA and for misuse of private information and breach of confidence.
Class action claims will continue to be a risk for organisations. By 25 May 2018 the EU General Data Protection Regulation and UK Data Protection Bill will come into effect, replacing the DPA and including measures intended to allow representative bodies (e.g. consumer law organisations) to bring compensation claims on behalf of affected individuals.