Keep up to date with our blog articles, latest news and industry developments. See below for the latest posts or use the category listings to hone your search for stories of interest.
Data protection liability: Full compliance isn’t enough
The actions of rogue employees in data breaches may leave even GDPR-compliant businesses facing huge damages claims
Wm Morrisons Supermarket PLC (Morrisons) has been found vicariously liable for the actions of a rogue employee in breach of data protection legislation, even though the company itself was held to be compliant.
The case raises the serious concern that a company’s full compliance with data protection legislation will still not be enough to protect it from group litigation in the event of a major data breach affecting hundreds of employees, or even millions of customers.
The data breach
On 12 January 2014 a file containing details of 99,998 employees of Morrisons was uploaded to a file sharing site. It showed the name, address, gender, date of birth, phone number, national insurance number, bank sort code, bank account number and the salary of each employee.
An employee of Morrisons, Andrew Skelton, was charged with offences under the Computer Misuse Act 1990 and under section 55 of the Data Protection Act 1998 (DPA), and was sentenced to 8 years imprisonment. In sentencing Mr Skelton, the Judge noted that his actions had been designed to damage Morrisons, apparently due to a grudge over a previous disciplinary matter.
5,518 of the affected employees brought a civil claim against Morrisons. The claim covered both:
- primary liability, for Morrisons’ own alleged breaches of the DPA, the tort of misuse of private information and for breach of confidence; and
- the vicarious liability of Morrisons for the wrongful actions of its employee.
Having considered the facts, the Judge (Langstaff J) concluded that Morrisons had not breached the DPA in any manner that was causative of loss. Nor was it liable under the common law of misuse of private information, or an equitable action for breach of confidence.
However, Mr Skelton was liable: in his actions he had made himself data controller of the data concerned and was therefore liable for breach of the DPA. As part of his role, Mr Skelton had been authorised to handle the data in question and to disclose it to the company’s auditors, KPMG.
The judge held that there was a sufficient connection between the position in which Skelton was employed and his wrongful conduct for Morrisons to be held vicariously liable for that conduct. Morrisons was therefore liable in damages to the claimants to the same extent as Mr Skelton would have been.
The decision related only to liability and (subject to any appeal or prior settlement) the quantum of the thousands of employees’ claims will be decided at a later date.
The concept of vicarious liability can often be a surprise to employers who have never encountered it. Essentially for policy reasons, an employer can be held liable for the actions of its employee which it has neither authorised nor benefited from, and even where such conduct is criminal. That could include, for example, (as in the case of Mohamud, also involving Morrisons as a defendant) a racist assault by an employee on a customer.
The application of vicarious liability principles in data protection matters raises serious practical concerns for businesses. If a rogue employee of a major consumer-facing business released the personal data of millions of customers, that could give rise to potential claims for distress totalling hundreds of millions of pounds or more.
Since Vidal-Hall (see our previous article here), the prospect of group litigation in data breach cases for mere distress, where no other loss is suffered, has been a major concern for businesses. The Morrisons decision marks a further opening of the floodgates, as such claims may succeed where the defendant company is only vicariously liable for the wrongful acts of an employee.
General Data Protection Regulation
Will such vicarious liability remain a concern under the new regime applicable from 25 May 2018?
The provisions concerning civil liability under the GDPR contain the following defence at Article 82(3):
“A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.”
Although worded differently, this may offer no more protection than Article 13(3) of the DPA, which Morrisons tried and failed to rely upon to suggest that vicarious liability should not apply:
“In proceedings brought against a person by virtue of this section it is a defence to prove that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned.”
Because the rogue employee became the relevant data controller themselves, rather than the employer, the defence did not apply to exclude the employer’s vicarious liability. Accordingly, decisions on the same basis as Morrisons will remain a real concern under the GDPR regime.
There are two crumbs of comfort for employers. Firstly, as mentioned in the decision itself, businesses may be able to insure against such liabilities that have arisen only on a vicarious basis. This may not be the case for all data protection-related liabilities, as the illegality principle means that it is doubtful whether such fines or damages claims arising from the company’s own wrongs are insurable.
The second is that the Morrisons decision is subject to appeal. The Judge, in giving permission to appeal, noted his own discomfort with the concept that Mr Skelton had directed his criminal acts to harm Morrisons and that the decision compounded such harm. That appeal is due to be heard before the end of 2018.
Read the full judgment in Morrisons here.
See all our data protection and GDPR content here.
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.