Following a recent ruling by the High Court against WM Morrisons Supermarket PLC (“Morrisons”), employers may now find themselves vicariously liable for data breaches perpetrated by their employees.
In 2014, it was discovered that a file containing the pay roll data of 99,998 Morrisons’ employees had been uploaded to a file sharing website. This data included names, dates of birth, addresses, national insurance numbers, and details of employees’ salaries and bank accounts.
Following an investigation, it was revealed that one of Morrisons’ employees, Andrew Skelton – a senior IT auditor – had copied the data which he was supposed to send to KPMG, Morrisons’ external auditors, to a personal USB drive. Mr Skelton then uploaded this data to a file-sharing website.
Mr Skelton’s actions were reportedly the result of a grudge that he held against his employer following an earlier, unrelated disciplinary incident. As a result, Mr Skelton was subsequently arrested and sentenced to eight years in prison pursuant to the Computer Misuse Act 1990 and the Data Protection Act 1998 (the “DPA”).
Now, in what is the first-ever group action case involving a data breach, 5,518 of the affected employees have bought a group class action against Morrisons for breach of its statutory duty under the DPA and at common law.
The claim was made on the basis that Morrisons was (i) directly liable for breaching its statutory duty; and (ii) in the alternative, vicariously liable for the breach in its capacity as Mr Skelton’s employer.
On the issue of direct liability, the court noted that Morrisons could not be directly liable as it had not breached the principles of the DPA, nor had it disclosed or misused the information. These were the actions of Mr Skelton, who was acting criminally and without authority.
However, on the issue of vicarious liability, the court found that Morrisons could be held responsible for the actions of Mr Skelton. In reaching its decision, the court found that ‘there [was] a sufficient connection between the position in which Mr Skelton was employed and his wrongful conduct’.
While organisations can take some degree of comfort from the decision that Morrisons were not found to be directly liable, the establishment of vicarious liability will be a cause of concern for many. This case suggests that employers could find themselves in the uncomfortable position of being exposed to data breach liabilities, even where they have no direct knowledge of the action giving rise to such liability.
Interestingly, the court did express some difficulty in reaching its decision on the issue of vicarious liability. The court was particularly troubled by the argument that, in imposing vicarious liability on Morrisons, it could be seen as an accessory in furthering Mr Skelton’s criminal aims: to harm Morrisons. As a result, the court has granted Morrisons leave to appeal its conclusion as to vicarious liability, and Morrisons has confirmed its intention to do so.
This judicial development is particularly interesting in light of the impending implementation of GDPR. Article 80 GDPR empowers data subjects to mandate non-profile organisations to exercise rights and bring claims on their behalf. It may be the case that such large-scale actions by affected data subjects become more common on this side of the Atlantic in the future.