A recent U.K. court ruling means that organisations can be held liable for breaches of personal data, even if the act was malicious and the company could demonstrate that it had suitable controls, policies and procedures in place to protect that information.

Organisations can also be held legally liable for malicious breaches and data hacks even if the regulator believes that no harm to anyone has occurred as a result.

In December 2017, U.K. supermarket chain Morrisons was found liable for a malicious data breach caused by a disgruntled former employee that saw the personal and financial details of nearly 100,000 staff uploaded to an online file-sharing website and sent to local newspapers.

Workers brought a class action claim against the company last October after employee Andrew Skelton, a senior IT auditor, stole the data—which included names, addresses, National Insurance numbers, bank account details and salaries—and deliberately leaked it following a disciplinary matter in 2014.

Disciplined, but not dismissed, Skelton stole the data as part of a grudge against the company. He was jailed for eight years in 2015 after being found guilty at Bradford Crown Court of fraud, securing unauthorised access to computer material and disclosing personal data. The supermarket chain says that the breach cost it £2 million (U.S.$2.75 million) to rectify.

Lawyers acting for the claimants said the data theft meant 5,518 former and current employees were exposed to the risk of identity theft and potential financial loss and that the company was responsible for breaches of privacy, confidence and data protection laws.

Following a trial brought by 10 lead claimants, Mr Justice Langstaff held that although Morrisons was not directly liable for the data breach, the company was “vicariously liable” for Skelton’s actions. Significantly, the judge also ruled that staff could claim for compensation for the “upset and distress” caused without proof of financial loss.

“It is important particularly in the light of the GDPR and the forthcoming new DPA that employers have in place appropriate systems to keep secure the information they hold not just on behalf of employees.”
Iain Jenkins, Employment Law Expert, Blacks Solicitors

The court held that the company was not directly liable for any breach, as at the time the personal data breach took place, it did not control the purpose for which the data was being (mis)used. The judgment says that “Morrisons did not know nor ought they reasonably to have known that Skelton posed a threat to the employee database.” It says, instead, that the misuse was due to Skelton alone, which meant that he was primarily in breach of the principles set out in the Data Protection Act (DPA).

However, the court also held that an employer can be held “vicariously liable” for the acts of its employees—so long as the employee is acting in the course of his employment. Morrisons tried to prove that Skelton was not. As part of its defence, the company said that the disclosure of the claimants’ personal details did not involve a work computer, and nor was it part of his day-to-day work. Morrisons also argued that the breach occurred outside of Skelton’s usual working hours (the breach took place on a Sunday—a non-working day for Skelton. Lastly, the supermarket chain said that the leak was a personal act by Skelton that was specifically designed to harm the company.

Morrisons also argued that the DPA excluded the possibility of vicarious liability and that the legislation left “no space for the common law tort of misuse of private data or the equitable action for breach of confidence.”

Both of these arguments were rejected. The claimants successfully argued that there was a “clear link” between the work that that the company required Skelton to carry out, and the disclosure of the personal information that he legitimately had access to.

The case is the first data leak class action to take place in the United Kingdom, and is also the first time in which it has been held that vicarious liability applies to DPA claims.

Some lawyers believe that when the General Data Protection Regulation (GDPR) comes into effect in May, such group claims will be more frequent as they can be brought to court more easily.

Four key points of the judgment

The High Court judgment highlights a number of important issues that compliance officers and organisations should be aware of. Firstly, while the judge held that the systems and processes that Morrisons had in place to protect personal data were entirely adequate, the court still found the company legally liable for the breach (although not primarily responsible).
Secondly, companies can still expect compensation claims for data breaches even when the regulator does not impose any sanctions. The Information Commissioner’s Office (ICO), the U.K.’s data protection regulator, had investigated the case but decided that on the evidence presented, it fell below the necessary criteria for formal enforcement action. In its view, Morrisons had processes and procedures in place to protect personal data, no harm was done to any data subject, and the breach was the criminal act of an employee acting in bad faith. The High Court’s ruling is at odds with this.
Thirdly, the judge accepted that his ruling may have inadvertently helped Skelton achieve his aims of causing the company serious harm. In the last paragraph of his judgment, he says that “the point which most troubled me in reaching these conclusions” was that he may have “render[ed] the court an accessory in furthering his [Skelton’s] criminal aims.” It was this concern that prompted the judge to grant Morrisons the right to appeal.
The issue of “vicarious liability” is also a key concern for compliance functions and their organisations, say lawyers. Andrew Hartshorn, partner in the information law team at law firm, Shakespeare Martineau, says that “all organisations should sit up and take notice of this decision.”
“No party has been held ‘vicariously liable’ under the Data Protection Act for the last 20 years,” says Hartshorn. “This adds a new dimension for businesses to consider when handling personal data. Not only are organisations liable for data breaches but they can also be held accountable for the unexpected actions of employees.”
Meanwhile, Emma Stevens, a solicitor in the dispute resolution team at law firm Coffin Mew, adds that “the fact that the courts have been willing to find vicarious liability in such extreme actions in this case means that the risk of liability to organisations has now potentially broadened in scope.”
—Neil Hodge

In a statement, Morrisons believes that—as an “innocent party”—it should not have been held responsible and has been granted leave to appeal the decision.

Some lawyers believe that the company’s appeal will likely be successful, and several consider the ruling to be troubling. “From a corporate compliance standpoint, the decision causes a problem, since there is in effect very little that can be done to protect an employer (and consequently data subjects) from the actions of a rogue employee,” says Kelly Hagedorn, partner at law firm Jenner & Block.

Alastair McArthur, partner and head of employment at law firm Herrington Carmichael, says that it is “daunting” that an employer could be liable for such an unauthorised breach. Mark Deem, litigation partner at law firm Cooley, says that “while the ruling does not establish any new principles of law, it certainly makes the case that organisations need to audit their data protection processes and policies to minimise the potential impact of any breach.”

Morrisons was awarded £170,000 (U.S.$234,000) compensation against Skelton. The sum the employees are looking for is likely to be higher. Any further hearing about amounts of compensation, however, will not take place until the company’s appeal has concluded.

Experts say that the case highlights several take-away points for compliance professionals and their organisations. Sean McDonough, employment law partner at law firm Mogers Drewett, says that “companies would be advised to conduct a thorough review of their data protection procedures. If the class action against Morrisons is successful [after the appeal], the stakes could simply be too high not to.”

According to Rachel Ashwood, senior counsel at law firm Taylor Vinters, organisations should assess whether employee access to confidential information should be curtailed, or limited.

In the Morrisons case, the court found that there was nothing about the original disciplinary incident that suggested Skelton could not be trusted with handling confidential information, including details about employees. But, she says, in light of the judgment, it is apparent that depending upon the circumstances, it may be an appropriate security measure to consider whether a disgruntled employee should continue to have the same access to confidential information (though organisations will need to ensure that “mutual trust” with employees is not put at risk because of such access restrictions).

Organisations should also review their data retention policies, says Ashwood. While the court held that the systems and processes that the company had in place were entirely adequate, the judge found that Morrisons failed to ensure that the personal data which Skelton legitimately had access to was suitably deleted after the requirement to hold the data for auditing purposes had expired.

Furthermore, with the impending General Data Protection Regulation (GDPR) coming into force in May, it will be even more important for employers to ensure that their data systems comply with the core data protection principles, not least the sixth principle of “integrity and confidentiality.”

“It is important particularly in the light of the GDPR and the forthcoming new DPA that employers have in place appropriate systems to keep secure the information they hold not just on behalf of employees,” says Iain Jenkins, employment law expert at Blacks Solicitors.

“The GDPR imposes liability on data controllers and data processors, with significant fines for data breaches. There are also new reporting requirements where a breach has taken place. Companies and employers need to take steps now to ensure compliance with GDPR and that their systems are robust and their employees are properly trained.”