Last week the Supreme Court overturned the judgements of the High Court and the Court of Appeal in a case involving the unauthorised publishing of the payroll details of thousands Morrisons’ employees. The Supreme Court, ruling in Morrisons favour, determined that Morrisons should not be held “vicariously liable” for a malicious data breach committed by a disgruntled employee – and this finding will no doubt provide employers with some relief that the scope of vicarious liability has been somewhat limited as they get to grips with data protection in today’s work from home world.
Background
You may remember, back in 2013 Morrisons’ suffered a data protection breach when one of their employees, Andrew Skelton, an internal auditor for the business, uploaded a file containing the personal data of 98,998 Morrisons’ employees to a file-sharing website and circulated the same to a number of newspapers who did not publish the data but who instead notified Morrisons’. Morrisons’ informed the police and took the necessary steps to ensure that the personal data of almost 100,000 of their employees was removed from the internet. As a result of the breach, Skelton was charged with offences under the Computer Misuse Act 1990 and the Data Protection Act 1998, and sentenced to 8 years imprisonment for his criminal activities.
While Skelton’s sentence would have undoubtedly been a relief for many of the employees who had their personal data leaked, his conviction did not offer them any financial compensation for their ordeal. The employees (and by now some ex-employees) decided to bring an action against Morrisons for damages in respect of alleged “distress, anxiety, upset and damage”. This action was brought on the basis that Morrisons was “vicariously liable” for Skelton’s wrongful conduct relating to his breach of the Data Protection Act 1998, misuse of private information and breach of confidence.
Data Protection and Vicarious Liability
In circumstances like these, it is not uncommon for claimants to bring actions against employers by claiming they are vicariously liable for their wrongdoing employees. Claimants have good reason to do this - employers are usually better resourced to settle claims and insure against loss – and many claims have been successful. However, there are limits and vicarious liability was not established in this case. The Supreme Court found that at the time of the wrongdoing, “Skelton was not engaged in furthering his employer’s business”, but instead was “pursuing a personal vendetta” against the supermarket chain after being subject to disciplinary proceedings.
As more and more people are working form home, with some having considerable levels of access to personal and sensitive data at their fingertips, employers will be more aware than ever that the possibility of a data breach is very real. Currently, employees find themselves adapting to home working routines during the COVID-19 epidemic and it’s especially important that employers issue clear guidelines around securing persona data and acceptable use of mobile electronic devices at this time.
This ruling will hopefully help to reassure those employers that the scope of vicarious liability has not been widened. However, while this case goes some way in clarifying who will be liable – employer or employee – in data breach cases where the employee has some underlying malicious intent, it does not clarify the position on accidental data breaches. Employers should be aware that they may still be held vicariously liable for data breaches which occurs during the course of an employee carrying out their ordinary employment duties.
There is clearly a balance that needs to be struck, between the data subjects who become the victims of a data breach caused by either criminal activity or just simple negligent behaviour, and the employers who may find themselves innocently on the other side of a claim for a data breach. This current case for victims would suggest that their remedies may be limited and are not likely to include financial compensation, however, how the courts will decide where this balance is struck in data breach cases under different circumstances is yet to be seen.
The Supreme Court’s decision is not a blanket exception and organisations must ensure they have robust compliance in place to protect personal data. In order to prevent data breaches, malicious or not, we would recommend employers consider appropriate organisational and security measures which could be implemented to minimise risk. For our tips on recognising and preventing data breaches, read our top tips for businesses.
If you would like to discuss any of your Data Protection concerns, please contact Loretta Maxfield or Morgan O’Neill on 03330 430350 or alternatively by email: lmaxfield@thorntons-law.co.uk or moneill@thorntons-law.co.uk
