The Supreme Court has today ruled in favour of Morrisons Supermarkets in relation to a class action data breach claim, brought by a large group of employees whose personal and financial information had been posted online by a disgruntled employee.
Data Breach Claim
The employee, Andrew Skelton, was a member of Morrison’s internal audit team with “super user” access to payroll information for thousands of colleagues. Following a verbal warning for minor misconduct, he uploaded the payroll data file to a publicly accessible file sharing website and sent it to three national newspapers, claiming he was a concerned individual who had found the information online (as well as trying to frame a colleague for the disclosure). One of the newspapers contacted Morrisons who conducted an investigation and informed the police. Following an investigation by the police and the Information Commissioner’s Office, Skelton was prosecuted and sentenced to 8 years in prison for fraud and computer misuse offences.
The file uploaded online contained the personal data of nearly 100,000 members of staff and potentially placed them at risk of identity fraud. A claim for compensation was subsequently brought by a number of affected employees against Morrisons for breach of the Data Protection Act 1998, misuse of private information and breach of confidence.
At an earlier stage of the legal process, the Court of Appeal decided that Morrisons was “vicariously liable” for the actions of the employee and so could be sued by the affected staff as if the company was to blame. However, this decision has today been overturned by the Supreme Court who have ruled in favour of Morrisons.
In the judgment, the Supreme Court stated “…no vicarious liability arises in the present case. Skelton was authorised to transmit the payroll data to the auditors. His wrongful disclosure of the data was not so closely connected with that task that it can fairly and properly be regarded as made by Skelton while acting in the ordinary course of his employment. On long-established principles, the fact that his employment gave him the opportunity to commit the wrongful act is not sufficient to warrant the imposition of vicarious liability. An employer is not normally vicariously liable where the employee was not engaged in furthering his employer’s business, but rather was pursuing a personal vendetta.”
What does this mean for organisations?
This judgment will provide some comfort for employers. If the Supreme Court had found that Morrisons was vicariously liable for the acts of a rogue employee, it would have exposed businesses to serious financial consequences as a result of a rogue employee’s conduct and opened up a potential way for employees with a grudge to cause their employers huge liability. That was part of the argument Morrisons advanced in Court, that Skelton wanted there to be adverse consequences for the company.
This hard-fought success for Morrisons does not relieve employers of their duties under the General Data Protection Regulation (GDPR) and Data Protection Act 2018 to have appropriate technical and organisational measures in place to protect personal data from unauthorised use or access.
During the course of these legal proceedings, the courts at all levels have pointed out that Morrisons had in place robust technical and organisational measures to prevent the misuse of personal data and did not as a company fall short of what data protection law required. Had Morrisons not proved this, it may have faced a claim for primary liability (e.g. a claim that its own acts or failures caused the data breach) in addition to or even instead of the vicarious liability claim.
What should employers do in response to this case?
They should learn the lesson that it offers and take steps to put themselves on the data protection high ground in the way that Morrisons was able to do. Skelton had to commit various criminal acts and ignore clear policies to do what he did and that is what has allowed Morrisons to wash its hands of his actions.
This may include security measures (e.g. to prevent information being transferred outside of the organisation, the prohibition of USB drives and file sharing sites and monitoring of IT systems to monitor suspicious activity), restrictions on access to personal data, strong and clear policies made known to all staff and adequate training. Failure to comply with the GDPR can result in fines of up to £17million or 4% of annual global turnover (whichever is higher), regardless of whether or not a claim for compensation is brought by affected individuals.
Will organisations still face group claims?
The introduction of the GDPR made it easier for individuals (and groups of individuals e.g. affected employees) to bring claims for data breaches. Individuals can now claim compensation for distress or reputational damage arising from a loss of personal data even where there has been no financial loss. The removal of the need to show financial loss to bring a claim combined with the increased public awareness of data protection issues following the introduction of the GDPR, has seen a rise in such compensation claims.
The Morrisons judgment does not change this and organisations must continue to comply with the GDPR. The ability to bring claims for compensation for a data breach is still there particularly where there is a systemic failure in data protection compliance rather than the breach arising as a result of the actions of a rogue employee.
This judgment will provide reassurance to organisations who have implemented a robust data protection compliance programme which includes technical security measures to prevent unauthorised access or loss of personal data, policies and procedures to ensure the protection of personal data and an adequate training programme to ensure staff are aware of the need to protect personal data and the policies and procedures the organisation has implemented.
In the event of a data breach, organisations with a strong data protection compliance programme may be in a stronger position to argue that the problem stemmed from a rogue employee who had deliberately failed to comply with the organisation’s policies, procedures and training and therefore may have a defence to claims for compensation and enforcement by the ICO.
By Bethany Paliga, Solicitor, Governance, Procurement & Information, Forbes Solicitors
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/