The case of Various Claimants v Morrisons Supermarket[2017] EWHC3113 (QB) has opened the door to vicarious liability attaching to employers for data breaches caused by their employees, even where the data breaches are deliberate criminal acts.

The case ran under a group litigation order (broadly equivalent to a US class action) involving 5,518 claimants in relation to the disclosure on the Internet of the payroll records of 100,000 Morrisons employees by Andrew Skelton (a senior IT internal auditor). Prior to the civil case, Andrew Skelton was sentenced to 8 years imprisonment for offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (“DPA”).

Direct liability

The High Court concluded thatAndrew Skelton became the data controller when “he put himself in the position of determining the purposes for which and the manner in which the personal data he was about to copy from his laptop was to be handled.” – i.e. to sabotage and damage the reputation of Morrisons.Thus Morrisons were no longer the data controller from that point onwards. Morrisons had no direct liability as the DPA did not make a data controller liable for data breaches which it is in no sense responsible for either authorising or requiring….”

Vicarious liability

It is worth emphasising that vicarious liability arises where “one party without personal fault is held responsible in law for wrongs committed by another.” The most common example is where employers are liable for torts/wrongs committed in the “ordinary course of employment”; however, rather than “leave those wronged with a sole remedy, of doubtful value, against the individual employee”, the courts have extended this concept.

The question of whether the tort is sufficiently connected to the employment is usually answered in the affirmative. For example, where an employee at a petrol station verbally and physically assaulted a customer out of personal racism, the employer was held liable. As an extreme example, Barclays were vicariously liable when a doctor, acting as an independent contractor rather than an employee and operating from his own premises, sexually harassed numerous employees during occasional medical examinations Various Claimants v Barclays Bank [2017] EWHC 1929 (QB). Having developed in the context of negligence, vicarious liability will now attach to any statutory tort unless that statute indicates otherwise.

As a result, the fact that Andrew Skelton’s disclosure of the data took place on a Sunday and from a remote location away from work did not excuse Morrisons from liability – the Court likened this to “an unbroken thread.” One significant factor pointing towards Morrisons being liable was that handling the payroll data was a task specifically assigned to Andrew Skelton.

The Court concluded that it was consistent with the policy of the DPA (greater security and protection for the data subject) to make the employee directly liable as a data controller and to make its employer liable vicariously. The Court found arguments that this would lead to a flood of overwhelming liability for employers were “overstated” and predicted that liability for data breaches is unlikely to be as large as it is for existing product liability claims. This expansion of the liability of employers is particularly concerning because the pivotal case of Google v Vidal-Hallestablished that data subjects are able to make claims under the DPA for distress caused by a data breach (without having to prove direct financial losses).

The case also illustrates that the court treats claims for breaches of section 4(4) of the DPA, breach of confidence and misuse of private information in a broadly similar manner, even though they are distinct in nature and origin.

The judgment did not address the quantum of liability (and it may be that the parties negotiate that rather than having the Court decide it), but the sums involved for Morrisons may be significant given the 5,518 claimants. There is limited case law on the quantum of damages in these circumstances. Morrisons are understood to be appealing the judgment.

Business impact

As the Court mentioned in its judgment, the intrusive monitoring required to detect this sort of criminal activity on the part of employees is unlikely to be legally justifiable in typical cases, which makes it harder to find a practical solution. Monitoring activity at the network level rather than individual devices (e.g. looking for unusually large transfers of data or systematic copying) and monitoring or restricting the use of USB ports is already commonplace and bespoke solutions may be available here. For some businesses, insurance can be another component of a solution.

If any of these issues touch on your business or you would like to get in touch, please contact Nic Ruesink-Brown