Employer found vicariously liable in data leak class action

Various Claimants v Wm Morrisons Supermarket PLC [01.12.2017]

The High Court finds Morrisons vicariously liable for the criminal actions of its employee in posting almost 100,000 of its employees’ personal data on the web. Insurers may wish to look closely at the wording of their employer’s and public liability policies to check the extent of what they might be covering.

Background

On 12 January 2014 a file containing personal details of 99,998 Morrisons’ employees was posted on a file sharing website. The data consisted of names, addresses, gender, dates of birth, phone numbers, national insurance numbers, bank sort codes, bank account numbers and salary information.

This act had been done by Andrew Skelton, a senior IT auditor employed by Morrisons who, when authorised by Morrisons to pass a copy of the data to Morrisons’ auditors, had taken a copy for his own ulterior motives.

Skelton had previously been disciplined after a packet containing a white powder was identified in Morrisons’ Post Room. The white powder was a slimming aid (which Skelton was selling as part of his own business) and was legal but which police tests identified as a close analogue to Amphetamine.

On 19 March, Skelton was arrested in relation to the taking and posting of data. He was charged and convicted under the Computer Misuse Act 1990 and under Section 55 of the Data Protection Act 1998 (DPA) and sentenced to eight years imprisonment. Skelton did not offer an explanation as to why he had committed these acts but the trial judge found that it was connected to the earlier disciplinary proceedings.

Subsequently 5,518 employees of Morrisons whose data was disclosed claimed compensation both for breach of statutory duty (under Section 4(4) of the DPA) and at common law (the tort of misuse of private information, and equitable claim for breach of confidence). Those claims were on the basis that Morrisons had both primary liability for its own acts or omissions, and secondary (vicarious) liability for the actions of one of its employees harming his fellow workers.

The decision

Morrisons was found not primarily liable for the data breach under either the DPA, the common law of misuse of private information, or an equitable action for breach of confidence. It was Skelton, not Morrisons, who was the data handler of the data set which was subject to the unlawful disclosure.

However the Judge did find that Morrisons was vicariously liable for Skelton’s actions somewhat ironically applying Mohamud v William Morrison Supermarkets plc [2016].

He concluded that there was a sufficient connection between the position in which Skelton was employed and his wrongful conduct to make Morrisons vicariously liable for his actions.

The Judge expressly rejected the argument advanced by Leading Counsel for Morrisons that the DPA excluded vicarious liability.

The Judge was however troubled by Morrisons’ submission that the wrongful acts of Skelton were deliberately aimed at the party whom the claimants sought to hold responsible, and that in reaching his decision he might seem to make the court an accessory in furthering his criminal aims. In light of this, he granted Morrisons leave to appeal.

Comment

This appears to be the first case involving a civil claim following a malicious data breach where issues of primary and vicarious liability have been fully aired.

The finding of vicarious liability follows the approach of the courts in the personal injury sphere and shows the balancing act that it has chosen to perform in seeking to protect innocent parties.

What may be of greater interest and possibly concern to insurers is whether their employers’ and public liability policies would respond to such incidents, particularly when such a large number of potential claimants can be involved.

Insureds should ensure that they have adequate cover in place to protect them against such incidents and that their internal policies are in place, up to date and regularly communicated to their staff.

Here, the perpetrator’s actions were suspected to be retaliation for recent investigations regarding use of business premises to receive delivery of a slimming aid as part of the employee’s external activities.  Therefore, although this judgment will be subject to the court appeal process, it could be wise for employers to:

  • Review their vetting process for potential employees.
  • Require disclosure of separate company directorships or partnerships to promote openness.
  • Revise their contracts of employment and staff handbooks to incorporate an ongoing obligation to disclose such outside interests and incorporate failure to disclose such interests as a disciplinary offence.
  • Reiterate to staff that use of personal data during the employee/employer relationship activities should only be for the legitimate purpose of those activities and not for any personally motivated other purposes.