Morrisons wins landmark liability ruling for employee data breach

No comments

A clear case for covering exposures as good risk management has been highlighted

Supermarket chain Morrisons was ruled not vicariously liable by the court for the actions of an employee who was subsequently jailed for eight years in 2015 for a data breach, according to the Supreme Court in a ruling laid down last week.

In common law an employer can be vicariously liable for its employees wrongdoing if it is carried out while they are employed there, but the acts must be closely connected to the employment.

This incident involved disgruntled former staff member Andrew Skelton, who worked on the internal audit team and leaked payroll data of more than 100,000 workers online.

He was tasked with transferring payroll data for Morrisons’ entire workforce to its external auditors in November 2013. He did so but made a personal copy of the data that he then leaked on a public website in 2014. He then sent copies of the data to three UK newspapers while posing as a concerned member of the public.

This resulted in more than 9,000 current and former employees of the supermarket chain filing a proceeding against Morrisons on the basis of vicarious liability for Skelton’s actions.

These employees claimed for breach of statutory duty under the Data Protection Act (DPA, 1998), misuse of private information and breach of confidence.

It followed Skelton harbouring a personal grievance against Morrisons after he received a verbal warning back in July 2013 over disciplinary proceedings for a minor misconduct.

Off on a frolick

Tim Smith, partner at law firm BLM, told Insurance Times: “This incident took place when the Data Protection Act 1998 was in force, which was a little bit more tolerant than the current GDPR regime. At the time it happened, it was more difficult to pursue a claim. The law regarding data protection has been evolving relatively quickly for lawyers, but for everyone else at a stately pace.

“There has been some pretty important changes – the DPA 1998 as drafted says that you can only get compensation on the condition that you have suffered damage, and if you have suffered damage you could get compensation for distress as well. But you couldn’t get compensation just for distress.”

However case law has now changed substantially since the DPA 1998, for example Vidal-Hall v Google in 2015 resulted in claims for distress alone to be pursued.

The ruling is a ”welcome surprise” for the defendants and their insurers.

Smith said that Morrisons had good systems, so it was able to track where the data leak occurred.

But the Supreme Court recognised the complexity of the case and delved deeper into whether the incident was part of Skelton’s role at Morrison’s or personal.

Smith said that the employee was “off on a frolick of his own” as Skelton also held a grudge against his employer and did something he absolutely should not have done.

Malicious actors

Meanwhile Martin Sugden, chief executive at software firm Boldon James, said: “The data businesses hold is one of their most valuable assets. Much of this data holds sensitive information about their customers and staff, therefore, if this data were to be breached, it could cost the business a large fine under GDPR.

”Commonly, insider threats are thought to be malicious actors within an organisation who publish sensitive data, as was the case in the Morrison’s data breach, but businesses should not see this ruling as a way out; the court did not say there could never be vicarious liability for the conduct of employees in the world of data protection.”

Sugden recommended that businesses invest in measures such as data classification where confidential documentation has a layer of protection attached to it so certain rules apply to that data set, for example, only manager-level staff being able to access certain documentation.

He added that it is key to educate users to help them understand how they can operate in a more secure way.

Where does this leave insurance?

Smith said: “Historically vicarious liability has been supremely important where people have been hurt or abused. Data is a different one, because it is easy to pinch data or lose it – the market has been quite interested in how this goes, particularly the cyber [insurance] market.

“Generally speaking, vicarious liability is something that public liability and employers’ liability underwriters have a deep understanding of, and it’s not something that creeps into tech and cyber very often.”

This is because these actions are often down to human error, however in Skelton’s case it was clearly deliberate.

“We don’t see many situations where physical harm has been caused through the misuse of data, and even financial harm is rare,” Smith said. “It is one of the risks you take as an employer. The clear message that stands from the Court of Appeal is you have an exposure here, you would be well advised to get some insurance in the same way that you do for all your other exposures – it’s part of good risk management.

”You can have a liability for employees doing daft stuff whether that be a bus driver running someone over, or whether it’s an IT auditor doing something they shouldn’t with data.”

But he stressed that firms are still liable for cases where human error is to blame, which accounts for the vast amount of cases.

Smith said: “There is a limit as to which vicarious liability can apply. It’s still a reminder that if Skelton was negligent rather than criminal, Morrison’s would probably be liable. If you are Morrisons that has got to be a concern.”

The Lloyd vs Google case is of equal significance, as it represented a dramatic shift in the favour of claimants for privacy liability claims where an individual’s data has been misused.