Various Claimants v WM Morrisons Supermarket PLC

Can a business be held vicariously liable for the actions of an employee who deliberately breaches its data protection policies and data protection law?

The background

In 2013 Andrew Skelton leaked the payroll data of almost 100,000 Morrisons employees.  Mr Skelton retained a copy of the payroll master file without his employer’s knowledge and posted the information to a file-sharing website. 

5,518 affected employees brought claims for compensation.  They alleged that Morrisons had breached their duties under the Data Protection Act 1998 (DPA) and were liable for the common law torts of misuse of private information and breach of confidence. 

The court at first instance found that Morrisons had taken appropriate technical and organisational measures to safeguard personal data. It held that the business had not breached its duties under the DPA, but that it was vicariously liable for misuse of private information and breach of confidence by Mr Skelton.

Morrisons appealed the second issue to the Court of Appeal.

The decision

The Court of Appeal rejected Morrisons’ arguments.  Their reasoning affirmed the conclusions reached by Langstaff J in the High Court.  The key points in the judgment were as follows:

• the DPA does not exclude vicarious liability for misuse of information or breach of confidence.Whilst the provisions of the DPA only require that reasonable measures are taken to protect personal data, strict liability is still possible under the common law.Parliament would have made it clear in the statute if they intended to exclude this type of liability
• Morrisons was vicariously liable for Mr Skelton’s actions.His malicious intentions when leaking the information did not prevent this from being made out.The court agreed with Langstaff J’s opinion that the incident occurred through an unbroken chain of events.

The Court of Appeal refused Morrisons permission to appeal.  However, Morrisons have indicated that they will attempt to take their case to the Supreme Court. 

Why is this important?

Even if businesses commit considerable resources to ensuring data compliance, they can still be held liable for the actions of a rogue or careless employee.  The costs involved in defending group litigation can be enormous.  Businesses should actively consider taking steps to minimise the risk of such incidents and limit their exposure. 

Any practical tips?

The Court of Appeal referred to the role of cyber insurance in their judgment.  Those concerned about the potential impact of a data breach should review their insurance policies.  Businesses should check that they have suitable coverage in terms of the heads of losses and the liability for individual and aggregate claims.  Having said this, it must be questioned as to how far insurance cover could extend to the potentially enormous (terminal?) liability created by class actions for data breach.

Another step that concerned parties can take is to ensure that they have access to a consolidated breach response service (like RPC’s ReSecure).  Following a breach, response services can provide relevant professional support from forensic IT experts and specialist lawyers, and limit the consequences of a breach. These services are offered as a benefit of some cyber insurance policies.

In terms of prevention strategies, IT policies can be designed to restrict the use of USBs and personal email addresses (which are often culprits in data breaches).  IT teams can also monitor for breaches of IT policy and look into potentially suspicious activity.  There is software available on the market which allows IT teams to identify spikes in data retrieval.

In short, no stone should be left unturned in the quest to limit the risks of a severe data breach.  The consequences of a class action include the possibility of astronomical aggregate damages claims (not even counting GDPR-level fines).  These could be enough to sink almost any business, however strong their balance sheet.