Stealing and Distributing Data, a Criminal Offence, and Apparently Acting in the Course of Employment

Various Claimants v WM Morrison Supermarkets PLC [2018] EWCA Civ 2339

SUMMARY

This case is about the Data Protection Act 1998 (DPA 1998), breach of confidence and whether an employer can be vicariously liable, for the criminal actions of an employee, where an employee acting as the data controller, for the purposes of DPA 1998, breaches the requirements of the Act. This case highlights the wide reach of data protection in determining whether an organisation can still be liable for data breaches even if it has taken appropriate measures to comply with the data protection legislation itself and even if it was the intended victim of the breach.

FACTS

This claim followed a security breach when former employee Mr Andrew Skelton, a senior IT auditor, was an employee of William Morrison Supermarkets plc (Morrisons) released a large amount of personal data relating to the employees of Morrisons and uploaded it on the internet, using his personal computer, outside working hours. Mr Skelton was subsequently convicted of criminal activities arising from this conduct and was sentenced to eight years imprisonment. In a group litigation claim, 5,518 employees, commenced proceedings against Morrisons and sought to claim compensation for misuse of private information, breach of confidence and statutory duty owned under DPA 1998.

HIGH COURT DECISION

The High Court on 1 December 2017, cleared Morrisons of direct liability since Mr Skelton was in the position of acting as the data controller, for the purposes of the DPA 1998, in relation to the data which was wrongfully disclosed. Morrisons had also generally put adequate controls in place to protect the data and its one error in this regard didn’t cause or result in the data breach.

The High Court however found Morrisons to be vicariously liable for Mr Skelton’s actions. It was held that the DPA does not exclude vicarious liability, despite not expressly referring to it. The fact that the Senior IT auditor’s disclosure of the data were made much later, from home, outside working hours, and by use of personal equipment did not break the connection with the senior IT auditor’s employment. It was held that Mr Skelton acted in the course of his employment and Morrisons was therefore vicariously liable for his actions.

A full reading of the decision can be found

https://www.bailii.org/ew/cases/EWHC/QB/2017/3113.html

COURT OF APPEAL DECISION

On 22 October 2018, Morrisons appealed this decision on three grounds: i) DPA excludes vicarious liability; ii) DPA excludes causes of action for misuse of private information and breach of confidence (directly or vicariously) and; iii) the wrongful actions of Mr Skelton did not occur during his course of employment and therefore Morrisons could not be vicariously liable.

The Court of Appeal upheld the previous High Court’s decision on the grounds that in relation to the first and second grounds of appeal, whatever the position on vicarious liability for breach of DPA 1998, vicarious liability had for misuse of private information and breach of confidence had not been excluded by the DPA. The Court of Appeal noted that if Parliament had intended to exclude the common law vicarious liability of an employer for the data breach cause by its employee, who was also the data controller, they would have expressly stated so.

In regard to the third ground of appeal, the Court of Appeal rejected Morrisons claim that vicariously liability only applies when the employee is on the job and since Mr Skelton uploaded the data on his personal computer outside the ‘job.’ The Court of Appeal held that "there was an unbroken thread that linked his work to the disclosure: what happened was a seamless and continuous sequence of events". Morrison argued unsuccessfully that to impose vicarious liability on the employer would render the Court an accessory in furthering Mr Skelton’s criminal agenda. The Court in its response held that the motive of the employees is irrelevant as established in Mohamud v WM Morrison Supermarkets PLC [2016] UKSC 11.

A full reading of the decision can be found

https://www.bailii.org/ew/cases/EWCA/Civ/2018/2339.html

SUPREME COURT APPEAL

The Supreme Court recently granted Morrisons permission to appeal against the Court of Appeal ruling that it was vicariously liable for its employee’s misuse of data to the highest court in England and Wales on 15 April 2019. A hearing date for the appeal has been set for 6-7 November 2019.

HOW THIS CASE MAY IMPACT BUSINESSES

The law of vicarious liability has developed considerably in recent years and in a manner, which has been widely perceived to favour claimants. The outcome of Morrisons’ appeal will be of concern to employers because if the Court of Appeals decision is upheld, it means law that an employer can be held vicariously liable for the rogue actions of their employees.

The current concern for businesses now is the emergence of group litigation claims for distress following a personal data breach especially in the post GDPR world, where there is an express right for individuals to be compensated for non-material damage, which includes distress. Even though individuals affected by the data breach may not be personally entitled to significant sums, if the breach affects a large number of individuals, the total potential liability for organisations could become commensurately large.

It remains to be seen how the Supreme Court will approach the issue of vicarious liability against Morrisons. With the emergence of multiple data breaches having hit the headlines since the new GDPR rules came into force, it will be interesting to see the impact of this decision on future data breach class action claims in the UK.