Vicarious liability of data controllers: The Morrisons data breach case
Various Claimants v. Wm Morrisons Supermarket plc, the High Court of Justice Queen’s Bench Division,  EWHC 3113 (QB), Case No: HQ15X05099, 1 December 2017
Following the conviction of Andrew Skelton, a former Morrisons employee, after he published Morrisons’ employees’ personal details on a file sharing website, a group of over 5,500 employees of Morrisons took action against the supermarket to recover compensation for breach of a statutory duty under the UK Data Protection Act 1998 (‘DPA’), as well as for breach of confidence and misuse of private information. Morrisons was found to be vicariously liable for the criminal actions of its employee in copying and publishing employee data without authorisation, notwithstanding a finding that Morrisons had largely complied with its obligations under the DPA. The decision has implications for companies’ liability for the actions of employees acting on their own account, even where that company has fulfilled its compliance obligations as a data controller.
Data controllers will be forgiven if the recent decision of Mr Justice Langstaff in Various Claimants v. Wm Morrisons Supermarket plc  EWHC 3113 (QB), one of the first group data protection claims, in which Morrisons was found vicariously liable for the criminal actions of its employee in copying and publishing employee data without authorisation, notwithstanding a finding that the supermarket had largely complied with its obligations under the Data Protection Act 1998, engenders feelings of being under a barrage of legal and regulatory liability.
While the decision, which is under appeal, will add to the burden on organisations who are already preparing for the GDPR and facing the prospect of increased litigation by not-for-profit bodies, it will be of interest in relation to the exacting standards by which organisations are to be judged in the safeguarding of personal data under the seventh data protection principle.
A senior IT auditor at Morrisons, Andrew Skelton, had been running a personal sideline dealing in the sale of a slimming drug, which he purchased wholesale and sold on eBay. On occasion, he used Morrisons’ post room to send packages to his customers at his own cost. In May 2013, one such package came open in the post room and, containing a white powder, caused alarm and led to the police being called. The incident led to Skelton being suspended pending analysis of the powder. Once it was confirmed that the powder was not illegal, Skelton had been permitted to return to work in early July. He faced a disciplinary hearing which led to him being given the lowest available disciplinary sanction, a formal verbal warning which was recorded on his personnel file and would remain for six months. Skelton appealed against the sanction imposed, but his appeal was rejected when it was heard in August 2013.
Unknown to Morrisons at the time, in October 2013 Skelton used his work computer to conduct an internet search for ‘TOR’ or ‘The Onion Router,’ software capable of disguising the identity of a computer accessing the internet.
In November 2013, as part of his job Skelton was provided with a file containing personnel data, with a view to him passing it on to Morrisons’ external auditors. The file had been downloaded from Morrisons’ proprietary software by one of a limited number of authorised employees, whose access to the system was tracked, and contained information on almost 100,000 employees and included names, addresses, gender, date of birth, phone numbers, national insurance numbers, bank sort codes, bank account numbers and salaries. Due to the size of the file, an attempt to email the file was unsuccessful and so the information was saved to an encrypted USB stick and uploaded to Skelton’s laptop. Skelton copied the data together with other information onto an encrypted USB stick provided by the external auditors and passed it on to them.
On 14 November, Skelton purchased a new mobile phone. On 18 November 2013, Skelton inserted an unknown USB device into his laptop and, the Court found, had copied the payroll data onto the USB with the intention of criminally misusing the data.
On 16 December, and again unknown to Morrisons, Skelton attempted to access the TOR site from his work laptop.
Skelton uploaded the payroll data to a file sharing website in January 2014 and, apparently disappointed at the lack of reaction to the publication, anonymously sent CDs containing the data to three newspapers, together with a link to the data on the file sharing site on 13 March 2014. One of the newspaper recipients notified Morrisons, which took immediate steps to have the website taken down and informed the police. In the ensuing investigation, colleagues of Skelton’s were arrested and subsequently released without charge, one of whom had been the subject of a deliberate attempt by Skelton to frame him.
Skelton was arrested on 19 March 2014, and charged with an offence under the Computer Misuse Act 1990, under the Fraud Act 2006 and under s55 Data Protection Act 1998. He was tried and convicted in July 2015 and sentenced to a term of eight years imprisonment. At his criminal trial, the Recorder of Bradford found that following the disciplinary process against him, Skelton had gone on to “harbour very considerable bad feelings towards Morrisons” and “set about […] doing Morrisons some real damage.”
5,518 of the affected employees brought a claim for compensation for breach of statutory duty under s4(4) DPA, and at common law for misuse of private information and breach of confidence. The Claimants argued that Morrisons bore primary and vicarious liability for Skelton’s acts.
The trial dealt only with liability, with quantum being left to be determined at a later date. The Claimants argued that, in relation to primary liability, Morrisons had failed to comply with the first, second, third, fifth and seventh data protection principles (1), that is to say the obligations to: process data fairly and lawfully and in accordance with the conditions set out in Schedules 2 and 3 of the Data Protection Act 1998, as appropriate; obtain data only for one or more specified and lawful purposes and not to further process the data in a manner incompatible with those purposes; ensure data is adequate, relevant and not excessive in relation to the purpose(s) for which they are processed; to retain data for no longer than is necessary for the purpose(s); and, to take appropriate technical and organisational measures to safeguard against unauthorised or unlawful processing of personal data and against accidental, loss, destruction of or damage to personal data.
In respect of these, the Claimants argued that they had not consented to Skelton’s processing, which was not fair or lawful, and that the criminal purposes for which Skelton processed their data did not comply with the second data protection principle. The complaints under the third and fifth data protection principles were not expanded upon during the course of the trial. Under the seventh data protection principle, the Claimants argued that it had been inappropriate to entrust Skelton with the payroll data on the basis that it was alleged that he was inappropriate to fulfil this role as “he had not yet been rehabilitated from very recent disciplinary action and was, to the knowledge of the Defendants, unhappy with the way in which the Defendant had dealt with the investigation and disciplinary process.”
The Claimants also argued that Morrisons should have identified the attempt to transfer data to Skelton via email, it had been inappropriate to transfer the payroll data on a USB stick, that there was inadequate management or mentoring of Skelton following the disciplinary process, Morrisons ought to have detected Skelton’s research relating to the TOR network on his work laptop, Morrisons should have denied Skelton access to the data, and Morrisons had failed to ensure that the payroll data was deleted after it had been transferred to KPMG.
The Defendant did not rely upon the defence under s13(3) Data Protection Act 1998, that such care had been taken as was reasonably required to comply with its obligations under the Act. This was because, it was argued, Skelton’s conduct was such as to place him in the role of data controller in respect of his copying and subsequent dissemination of the payroll data, and Morrisons was therefore not liable under the Act for his actions.
Langstaff J rejected the Claimants’ argument that to only hold a data controller liable for its own contraventions of its obligations under the DPA would make a mockery of the scheme. He held that Morrisons was not the data controller at the time of any breach of the first, second, third and fifth data protection principles and the only duty it could owe to the Claimants was that under the seventh data protection principle, i.e. to take appropriate technical and organisational measures to safeguard their personal data (2). Having regard to the Court of Appeal’s judgment in Vidal- Hall v. Google Inc (3), and the purpose ascribed to Directive 95/46/EC (4) of being to “provide a high level of protection to the right of privacy in respect of the management of personal data by data controllers,” the Judge found that he could not “construe either the Directive or the Act as requiring a data controller to be responsible even without fault for the subsequent disclosure by a third party of some of the information given to it (5).”
In relation to the application of the seventh data protection principle, Langstaff J found a correlation with the approach to the tort of negligence, and found that it afforded an indicative standard which ought to be applied, that is to say the standard is to be “judged by balancing the magnitude of the risk of the activity in question (itself a combination of the likelihood of injury and the severity of it should it occur) against the availability and cost of measures to prevent the risk materialising, and the importance of the object to be achieved by performing those actions (6).”
Accordingly, he found that the standard applicable to the protection of data relating to 100,000 employees would be higher than that applicable to “a small enterprise employing 6 or 7 workers (7).” The Judge held that the extraction and transfer of the data to Skeleton had been secure and, even if it had not been, was not the cause of the unauthorised disclosure of the data online. He also held that the storage of the data on Skelton’s encrypted laptop was appropriate, even after the data had been transferred to KPMG, to allow for any queries to be addressed and that this would have remained appropriate up until the conclusion of the audit (8).
The failure to ask Skelton whether the data had been deleted, or to check that it had been, before the conclusion of the audit was held not to constitute a breach of the seventh principle. While the Judge found that there was no organised system for the deletion of data from Skelton’s computer (being outside the usual secure repository for payroll data) and no failsafe, which he did consider to fall short of the requirements of the seventh principle, he also found that this neither caused nor contributed to Skelton’s disclosure of the data (9).
As to whether Morrisons ought to have refused Skelton access to the data, the Judge found that there was nothing about the white powder incident itself which suggested that Skelton could no longer be regarded as trustworthy (10), and noted that it “cannot sensibly be suggested that employees so warned cannot then be trusted to do their job or require to be supervised (11).” Nothing in his lack of motivation was indicative of the criminal conduct he was to embark upon. There had been no breach of the seventh principle in permitting Skelton access to the data.
The Judge rejected the suggestion that Skelton ought to have been the subject of monitoring and mentoring during the six month validity of the warning. He also rejected the suggestion that the attempt to email the data to Skelton was an opportunity to prevent him gaining access to the data.
Morrisons was not able to automatically detect whether employees might be using their systems to research the TOR, although access to the TOR would have been restricted. Records of every website request made were retained but, consistent with the approach of other large companies were not routinely reviewed unless it was necessary and appropriate to do so in any particular case. The Court considered that active and routine monitoring would be impracticable, disproportionate, unnecessary given that firewalls prevented access to undesirable material, would no doubt be seen as invasive of Article 8 rights, and would not itself have indicated Skelton’s unsuitability (12).
Having determined that Morrisons was not liable under the Data Protection Act 1998, Langstaff J also found that it had not misused, authorised the misuse of or permitted the misuse of private information and had not disclosed confidential information, and therefore bore no primary liability.
However, in considering Morrisons’ vicarious liability in accordance with the principles set out in Mohamud v. William Morrison Supermarkets plc (13), Langstaff J rejected the Defendant’s contentions that the statutory scheme under the DPA debarred the application of vicarious liability to a data controller or other liability otherwise than under the Act as being disproportionate, as the DPA neither expressly nor impliedly excluded such liability.
The Judge accepted the Claimants’ contention that if any misuse of personal data by an employee took the processing outside of the scope of the controller’s liability, then the scheme would fail to achieve the aim of the Directive in affording protection to data subject rights. Langstaff J was not persuaded by warnings of the “eye-watering liability” which would be imposed on data controllers by coupling the cost of compliance with the potential further liabilities, and suggested that this would be covered by appropriate insurance.
On the specific application of the principles of vicarious liability, Langstaff J found that “there was an unbroken thread that linked” Skelton’s work to the disclosure, that Skelton had been deliberately entrusted with the data by Morrisons, and was acting as an employee when he received the data. The Judge rejected the contention that the fact that the disclosures were made at a weekend, using personal equipment at home, disengaged them from his employment. Skelton’s motive was irrelevant in determining vicarious liability.
While recognising that Morrisons was a victim itself, which caused the Court to grant it permission to appeal, it was nevertheless right for it to be vicariously liable to the Claimants.
The implication of the judgment is that notwithstanding an organisation achieving compliance with its obligations as a data controller, at not insignificant expense, data controllers may nevertheless be held liable for the conduct of an employee acting on their own account even where those actions are criminal and deliberately targeted at harming the organisation; there is an obvious tension in such a finding.
While regulatory compliance may save a data controller from the abundant fines available under the GDPR, this will not be sufficient to avoid the prospect of liability for compensation and costs in group litigation, whether brought by individuals themselves or by a not-for-profit on their behalf under the new rights afforded by the Regulation. Organisations need to take appropriate steps to prepare for such potential liability, considering insurance against the risk and having robust processes in place to mitigate the risks when a data breach occurs.
Data controllers, particularly large organisations, will also wish to take heed of the warning that the lack of a process for the deletion of data after use would not be compliant with the seventh principle; this is likely to be an area where many organisations’ systems would be found wanting.
This article was originally published in the February 2018 issue of the Leading Internet Case Law.
1. Schedule 1, Data Protection Act 1998.
2. V arious Claimants v. Wm Morrisons Supermarket plc  EWHC 3113 (QB), para. 50.
3. V idal-Hall v. Google Inc EWCA Civ 311,  QB 1003.
4. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
5. Ibid para. 57.
6. Ibid, para. 68.
7. Ibid, para. 69.
8. Ibid, para. 80.
9. Ibid, para. 120.
10. Ibid, para. 90.
11. Ibid, para. 91.
12. Ibid, para. 104-105.
13.  UKSC 11.