Insure against rogue employees, is the clear message from the Court of Appeal in the latest significant judgement from the courts that relates to personal data in WM Morrison Supermarkets PLC v Various Claimants.

Many readers will be familiar with the circumstances which have led to nearly 6,000 Morrisons employees seeking compensation for a data breach. The breach occurred when a rogue employee, Mr Skelton, released a load of Morrison's payroll data onto the dark web, and then contacted the press so as to cause adverse publicity for Morrisons. Mr Skelton's actions were motivated by his (extreme) dissatisfaction after having been disciplined for an unrelated reason. Ultimately Mr Skelton ended up being sentenced to eight years in prison, under both the Computer Misuse Act 1990 and the Data Protection Act 1998.

The various claimants in this case (employees of Morrisons whose personal details were disclosed) are seeking to hold Morrisons to account for Mr Skelton's actions, and ultimately to receive compensation from Morrisons.

Late last year the High Court (Mr Justice Langstaff) determined that Morrisons was vicariously liable for the actions of Mr Skelton. This is in spite of the fact that (subject to one minor exception) Morrisons had not breached its obligations under the Data Protection Act 1998. 

Vicarious liability acts so as to make one party responsible for the wrongdoing or negligence of another.  The most common source of vicarious liability cases is the employer-employee relationship.

So, whilst Morrisons had not done anything (much) wrong, that they were not the data controller in respect of the relevant personal data at the time of disclosure (that was Mr Skelton), and had clearly not encouraged or condoned Mr Skeltons’ actions (which were designed to harm Morrisons), Langstaff J still found that Morrisons was liable: the connection between Skelton’s acts and the employment relationship were too strong to find otherwise.

The judge recognised that his judgement was significant, and so granted permission for Morrisons to appeal to the Court of Appeal. The Court of Appeal have now issued its judgement, and it is not good news for employers.

The Court of Appeal has held that Langstaff J’s judgement was correct: the close association between Skelton’s employment and his actions meant that Morrisons are vicariously liable.

The Court of Appeal heard extensive and powerful submissions on behalf of Morrisons as to the consequences of this finding: an organisation that does everything properly, and puts appropriate systems and training in place, will still be liable for the acts of their employees.  The act does not have to be authorised by the organisation; it does not have to be part of the employee’s duties; it does not have to be in the best interests of the organisation (indeed  it can be an act designed to harm the organisation).  It is simply enough that there is a close enough connection between the act and the employment.

What should organisations do?  Short of deciding never, ever, again to process data (or to employ anyone), all they can do is seek to minimise risk.  This might include:

• Putting in place adequate security processes, with as many fail-safes in the system as possible.
• Ensuring employees have proper training, and only have access to the systems that they need.This is particularly the case with sensitive data, relating to health, or finances, for example.
• Monitoring. Install auditing software, so it is clear who is in possession of what data, and what they are doing with it; and finally…
• Taking up the Court of Appeal’s recommendation and speaking to your insurance broker.The Court of Appeal clearly understood the issue and its significance, and also the limited wriggle-room that organisations have:

“There have been instances reported in the media in recent years of data breaches on a massive scale caused by either corporate systems failures or negligence by individuals acting in the course of their employment.  These might, depending on the facts, lead to a large number of claims against the relevant company for potentially ruinous amounts.  The solution is to insure against such catastrophes; and employers can likewise insure against losses caused by dishonest or malicious employees.   We have not been told what the insurance position is in the present case, and of course it cannot affect the result.  The fact of a defendant being insured is not a reason for imposing liability, but the availability of insurance is a valid answer to the Doomsday or Armageddon arguments put forward…”

This case has some way still to run. There is the prospect of an appeal to the Supreme Court.  In addition, there needs to be some consideration of remedy.  The 6,000 Morrisons claimants are seeking compensation, and the judgements have so far not considered this.

No doubt the bill to Morrisons will be hefty (any figure multiplied 6,000 times is likely to be huge). However, the amount of compensation is going to be dependent upon the damage caused, and as we have seen from the recent case involving Google (see article here) the courts do not seem to be  interested in awarding compensation simply because there has been a data breach.  There needs to be some damage.  This may be the distress caused by the knowledge that private financial information has been shared with criminals, or there may be financial loss; we shall wait and see.

In the meantime, organisations need to keep up the good work that many are already doing on data protection compliance.  Remember, the Morrisons case relates to the “old” data protection legislation, and not to the post-GDPR world.  However, the judgement is unlikely to have been any different under the GDPR, or under the Data Protection Act 2018.

For more information please contact Matthew Cole - mcole@prettys.co.uk - 01473 298221 or Emma Loveday-Hill - elovedayhill@prettys.co.uk - 01473 298266