On 22 October 2018 the Court of Appeal dismissed Morrisons’ appeal against Mr Justice Langstaff’s High Court ruling that it was vicariously liable for a data breach by an employee - Andrew Skelton. He had deliberately disclosed personal data relating to more than 5,000 employees and, by doing so, committed a criminal act and was in breach of an obligation of confidence and, perhaps most importantly, of the Data Protection Act 1998 (“DPA”).
Skelton was a senior IT internal auditor employed by Morrisons. Unknown to Morrisons, he held a grudge against his employer in respect of an earlier disciplinary hearing, where he was given a verbal warning. The data breach occurred when the external auditors, KPMG, asked for a number of categories of data (including payroll data). Skelton was given the USB stick with the data and downloaded the data onto his laptop, before copying the data onto another encrypted USB from KPMG, which he returned to that firm.
Some days later, while at work, he copied the payroll data onto a personal USB, and later posted personal data relating to 99,998 employees on a file sharing site. He also sent CDs anonymously to three national newspapers. Alerted by the newspapers, and within a few hours, Morrisons had alerted the police to ensure the website was taken down. Skelton was subsequently arrested and charged with fraud and offences under the Computer Misuse Act 1990 and DPA, s 55. He was convicted and sentenced to eight years’ imprisonment.
A group action was commenced by 5,518 employees seeking damages for misuse of private information, breach of confidence and breach of the statutory duty owed under DPA, s 4(4). The action claimed Morrisons was primarily liable under those heads of claim or, if not, they were liable vicariously for the wrongful conduct of Skelton.
Basis of liability
At first instance it was held that, save for failing to delete the data after use, Morrisons had provided adequate and appropriate controls. Since Morrisons did not itself misuse the data, the judge therefore dismissed the claim that Morrisons had primary liability. However (and there was a hint of reluctance in this regard), he found Morrisons vicariously liable, as it was responsible for the actions of its employee during the course of his employment.
The Court of Appeal rejected the supermarket’s arguments that (a) the DPA did not cover the wrongful processing of data caused by an employee’s breach; and (b) the test for vicarious liability failed since the employee was not “on the job” at the time of the breach. The court decided that the complete absence of any DPA provision addressing the employer’s position for a DPA breach by an employee, inevitably meant the High Court was correct to hold that the common law remedy of vicarious liability of the employer in such circumstances was not expressly or impliedly excluded by the DPA. It also unanimously agreed that the acts committed were within the field of the activities assigned to Skelton and constituted a “seamless and continuous sequence” or an “unbroken chain” of events, and that there was no exception to the irrelevance of the motive of the employee, even where the motive was to cause further financial and reputational damage to the employer (a point that particularly troubled the court at first instance).
Comments
The appeal judges were aware of the potentially catastrophic effects this judgment could have for companies when dealing with data breaches caused either by their system failures or the negligence or wrongful acts of their employees. With the GDPR and the Data Protection Act 2018 now in force, the position is more severe. Section 56 of the Act imposes obligations on data controllers to ensure that appropriate data protection policies and technical and security measures are in place; s 66 imposes obligations on controllers to implement security systems to prevent unauthorised processing; and s 170 makes it an offence to disclose personal data without the consent of the controller.
Article 82 of the GDPR provides the right to claim compensation (for breaches causing material or non-material damage) from data controllers or processors, and the ICO also has power to impose sanctions of up to €20 million or 4% of global annual turnover. Now, more than ever, employers must ensure that their internal policies for employees and contractors are up to date, review their security measures, focusing on encryption and “wiping” devices remotely, and so on. The court’s practical, if somewhat unusual, advice was for businesses to make sure their insurance policies cover such eventualities.
Watch this space, though, as Morrisons intends to appeal to the Supreme Court.
Sophie Graham is an Assistant Solicitor at Wright, Johnston & Mackenzie LLP. She can be contacted on 0131 524 1500. Wright, Johnston & Mackenzie LLP is a full-service, independent Scottish law firm, with a history stretching back 165 years, operating from offices in Glasgow, Edinburgh, Inverness, Dunblane and Dunfermline. Further information can be found at wjm.co.uk. Wright, Johnston & Mackenzie LLP is authorised and regulated by the Financial Conduct Authority. FCA reference number 231170.
This article originally appeared in The Journal.
Why are you making commenting on The Herald only available to subscribers?
It should have been a safe space for informed debate, somewhere for readers to discuss issues around the biggest stories of the day, but all too often the below the line comments on most websites have become bogged down by off-topic discussions and abuse.
heraldscotland.com is tackling this problem by allowing only subscribers to comment.
We are doing this to improve the experience for our loyal readers and we believe it will reduce the ability of trolls and troublemakers, who occasionally find their way onto our site, to abuse our journalists and readers. We also hope it will help the comments section fulfil its promise as a part of Scotland's conversation with itself.
We are lucky at The Herald. We are read by an informed, educated readership who can add their knowledge and insights to our stories.
That is invaluable.
We are making the subscriber-only change to support our valued readers, who tell us they don't want the site cluttered up with irrelevant comments, untruths and abuse.
In the past, the journalist’s job was to collect and distribute information to the audience. Technology means that readers can shape a discussion. We look forward to hearing from you on heraldscotland.com
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules hereComments are closed on this article