In an unprecedented decision, the UK Supreme Court has ruled that Morrisons cannot be held liable for the data breach caused by a disgruntled employee. The issue has thrown up the clause of vicarious liability that organisations have to face. The ruling might be in favour of Morrisons this time, but the basic tenets of law remain intact, Brodies Solicitors partner Martin Sloan told SC Media UK.
“Vicarious liability is the principle under which an employer is liable for the acts of its employees. There needs to be a “close connection” between the duties of the employee and the offensive act,” said Sloan.
Morrisons argued that it cannot be held liable for the actions of an employee with a “grudge” who leaked the payroll data of almost 100,000 members of staff. More than 9,000 claimants demanded compensation for the distress they faced after the data breach.
The breach in question happened in 2014, when internal audit team employee Andrew Skelton leaked out the payroll data for the entire workforce of the company. He was disgruntled after receiving a verbal warning in 2014 over disciplinary proceedings for minor misconduct, said the judgement.
Even though Morrisons held no primary responsibility, employees sued the company saying it was vicariously liable. “The judge rejected the appellant’s argument that vicarious liability was inapplicable given the Data Protection Act’s content and its foundation in an EU Directive,” concluded the judgement summary.
“In this case, the Supreme Court said that leaking the data was not so closely connected with the employee’s duties that it could be said he was acting in the ordinary course of his employment. It was a personal vendetta,” Sloan explained.
“The High Court had already decided that Morrisons was not directly in breach of data protection law. For the purposes of data protection law, the employee had been the controller in relation to the leaking of the data. The issue before the Supreme Court was whether an employer could be vicariously liable for the acts of an employee where that individual had deliberately disclosed personal data with the intention of harming Morrisons.”
The Supreme Court overturned the previous rulings by the High Court as well as the Court of Appeal, which held Morrisons liable for Skelton’s actions. The industry and media perceived this ruling as a deviation from previous judgments on similar issues, but this is not the case, Sloan argued.
“The Supreme Court looked at previous judgments on vicarious liability and decided that the previous decisions in the Morrisons litigation had misinterpreted case law on vicarious liability. That case law has developed over many years, but the principles remain unchanged by this judgment,” Sloan explained.
This judgement does not absolve organisations of their liability in the event of a data breach, Sloan, pointed out.
“The judgment provides welcome clarification in relation to deliberate acts carried out by employees intended to harm their employer. However, employers still have duties under data protection law to put in place appropriate measures to prevent unauthorised access to, or disclosure of, personal data. That responsibility also extends to unauthorised access by employees.”
Salon expects this decision to be widely welcomed by employers, and it provides clarity on the scope of vicarious liability - particularly in relation to malicious acts. However, it’s important that employers continue to be vigilant and keep their information security measures under review. If not, then they risk being in breach of data protection law, he warned.
Organisations are expected to put all possible protections in place over customer data, such as encryption, and restrictions on who has access. However, an alibi remains that they have not much to do when legitimate staff with legitimate access abuse their privileges.
That alibi need not work in all situations, interpreted Sloan.
“In this case, the court made it clear that there was nothing else that Morrisons could reasonably have done to prevent the breach. The information shared online by the employee was information that he was authorised to access as his duties included sending it to auditors,” he said.
“On a different set of facts, the court may have held that Morrisons was directly in breach of its obligations under data protection law. Employers should continually review their information security measures to see how these could be improved. For example, it is now possible to obtain software that detects or prevents leakage of data from corporate networks.”
The claim of the employees remains unaddressed here. In this particular situation, the employees theoretically have a claim against Skelton for the damage and distress that they suffered.
“However, given he is in jail, that claim is unlikely to be worth pursuing,” Sloan added.