Morrisons data breach case
Court of Appeal rules that Morrisons is vicariously liable for employee's deliberate disclosure of personal data of co-workers.
The Court of Appeal has upheld the High Court's finding that Morrisons was vicariously liable for the deliberate and criminal disclosure by an employee of personal data belonging to co-workers in Various claimants v WM Morrisons Supermarket plc. This is a concerning decision for employers who will find it hard to avoid vicarious liability in such cases, even if they can show that appropriate measures have been implemented in accordance with data protection legislation.
Morrisons have made clear their intention to appeal to the Supreme Court, but in the meantime it will be particularly important for employers to review their insurance cover for what could be ruinous claims.
Mr Skelton was employed by Morrisons as a senior IT internal auditor. Just before Morrisons' annual financial reports were announced a file containing the personal details of almost 100,000 Morrisons' employees was posted on a file sharing website by Mr Skelton. This was done deliberately to damage Morrisons' reputation (Mr Skelton's motivations were malicious as he bore a grudge against Morrisons in relation to a previous disciplinary incident). Mr Skelton was imprisoned for various offences including a criminal breach of the Data Protection Act. The co-orkers whose data had been disclosed made a group civil claim against Morrisons for compensation arguing that Morrisons had both primary liability for its own acts and omissions and vicarious liability for the actions of Mr Skelton.
The Court of Appeal upheld the employees' claims against Morrisons, finding it vicariously liable for Mr Skelton's wrongdoing. This was despite the fact that the Information Commissioner had not criticised Morrisons' data security procedures, and the judge who had originally upheld the claim had not identified failings by Morrisons which could have prevented the data breach. There was a sufficient connection between the position in which Mr Skelton was employed and his wrongful conduct to make it right for Morrisons to be held vicariously liable.
The judgment gives rise to the possibility of claims for damages from all Morrisons' workforce, approximately 100,000 workers. The Court of Appeal considered the potentially significant financial implications this finding could have. It acknowledged that there have been many instances reported in the media in recent years of data reaches on a massive scale caused by either corporate system failures or negligence by individuals acting in the course of their employment. Although these might lead to a large number of claims against the relevant company for potentially ruinous amounts, this was not a basis for not finding vicarious liability. The Court commented that the solution is for employers to insure against such catastrophes, as well as to insure against losses caused by dishonest or malicious employees.
Implications for employers
Following the decision in the Morrisons case, even an employer which has met its security obligations under the GDPR and Data Protection Act may still be liable for the actions of a vengeful or rogue employee.
Although criminal employees like Mr Skelton are thankfully few and far between, their actions could spell disaster for an unwary employer.
It follows that employers should urgently review their insurance arrangements to check that this risk is covered and, if it isn't, take the requisite steps to ensure that it is and that such cover is maintained.
We understand that personal data is a huge asset for your organisations to work effectively.