Data privacy and compliance officers for companies doing business in the United Kingdom should note the significant implications of a recent decision in the UK dealing with rogue employees engaged in the misuse of company data. Although this litigation commenced some two years before implementation of the General Data Protection Regulation (the “GDPR”), it is applicable to the post-GDPR regime. In the decision, the second most senior court in England and Wales held that a company remains vicariously liable for the actions of a rogue employee where he intentionally caused a personal data breach targeted at the company and its staff. 

Given the issues raised by the courts to this point in the proceedings, we suggest that some key points for companies to note are: 

  1. Broader liability for employers: The court’s decision in this case increases legal risks for companies; 
  2. Security and the insider threat: Companies across the board should be investing time and resources in cybersecurity measures, including those focused on insider threats; 
  3. Insurance coverage: Companies should consider the scope of insurance coverage for data incidents and data breaches; 
  4. Heightened risks post-GDPR: Had the present case been brought under the GDPR, the company would have faced some additional regulatory burdens, including risks of substantially increased fines had its preparations and response been found wanting per the GDPR's requirements.

A fuller summary of, and commentary regarding, the case is set out below. 

Summary of Wm Morrison Supermarkets PLC v Various Claimants 

On 22 October 2018, the Court of Appeal (the “CA”) upheld a ruling by the High Court that Wm Morrison Supermarkets PLC (“Morrison”) is vicariously liable for a data breach by a former disgruntled employee. 

These proceedings relate to the first UK group litigation regarding a personal data breach brought, inter alia, under the pre-GDPR Data Protection Act 1998 (the “DPA”). Andrew Skelton, a discontented employee of Morrison, with legitimate access to large tranches of staff personal data, unlawfully disclosed the names, addresses, and tax and bank details of approximately 100,000 Morrison employees. Subsequently, over 5,000 employees brought group litigation proceedings against Morrison itself. 

At first instance, the High Court held, in December 2017, that Morrison was not directly liable for the breach because it had not itself misused any personal data, and it had implemented appropriate data security measures within the company. However, the Court also held that a company should nevertheless be vicariously liable for actions of an employee even where that employee acts in a criminal manner without authority against the interests of that same company. 

The High Court acknowledged that this was a difficult judgment to reach, with the judge stating that: 

“The point which most troubled me in reaching these conclusions was the submission that the wrongful acts of [the employee] were deliberately aimed at the party whom the claimants seek to hold responsible, such that to reach the conclusion I have may seem to render the court an accessory in furthering his criminal aims” (Various Claimants v Wm Morrisons Supermarket PLC [2017] EWHC 3113 – paragraph 198). 

Morrison appealed the High Court decision on three grounds:

  1. that vicarious liability does not apply to the company’s obligations under the Data Protection Act 1998 (the “DPA”);
  2. that the DPA displaces the common law torts of misuse of private information and breach of confidence; and
  3. that the High Court was wrong to rule (1) that the data breach by Mr Skelton had taken place during the course of his employment with Morrison, and (2) that the company was vicariously liable for Mr Skelton’s wrongful acts.

Commentary

The CA rejected Morrison’s appeal. The CA concluded that the vicarious liability of an employer for breach of the DPA, misuse of private information or breach of confidence by an employee had not been excluded or displaced by the DPA. The CA also rejected Morrison’s third ground of appeal, agreeing with the High Court that Mr Skelton’s actions in obtaining and then misusing the data were not disconnected from the course of his employment as they were carried out as part of an "unbroken chain" of events within the field of activities assigned to him as an employee. 

As for quantum of damages, it remains unclear at this stage how the claimants will be compensated because, so far as the court was aware, none had suffered financial loss. The issue may therefore turn upon quantification of the personal distress caused by the data breach, a claim recognised by the CA in the Vidal-Hall v Google decision of 2015 (Google Inc. v Vidal-Hall and others [2015] EWCA Civ 311).  In Morrison, whilst the CA noted the potential for claims being made for "ruinous amounts", it pointed out that the solution for this was to insure against losses caused by dishonest or malicious employees and not to remove a remedy available to the victims.  

Significantly, both the High Court and the CA (and indeed the Information Commissioner’s Office in its earlier investigation of the incident) noted the appropriate nature of Morrison’s data security policies and procedures. In this case, the CA did not criticize Morrison’s security, which was considered in some detail. This suggests that, had the company’s security been inadequate, this would have been the subject of adverse judicial comment and its liability could have increased as a result of reputational damage and regulatory penalties under the DPA. This highlights the importance of cybersecurity as an essential element of business risk management for companies. .

Morrison has stated that it will take its appeal to the United Kingdom’s Supreme Court, so this remains a case for privacy lawyers and corporate compliance officers to watch closely. In the meantime, we take note of the following key points from the CA decision: 

  1. Given the ease with which data breaches can occur and the potential for the loss which they might cause, the scope of an employer’s vicarious liability has, as a practical matter, broadened significantly.
  2. All companies must invest time and money in their own cybersecurity measures, including (1) technical restrictions and monitoring/surveillance, (2) incident response training, and (3) on the human factor specifically, the vetting and monitoring of employees with enhanced access permissions/privileges to the company’s data (e.g. IT staff, HR teams, board directors and their assistants).
  3. All companies should consider their insurance coverage for data incidents and data breaches. As mentioned above, the CA referred expressly to the availability of insurance as a solution for companies concerned by the financial implications of the court’s decision. 

To discuss the issues raised by this note, please contact our cybersecurity and data privacy practice team in London and Washington, DC. 

FOR QUESTIONS OR MORE INFORMATION, PLEASE CONTACT:

Anupreet Amole

P: +44.20.7851.6118

F: +44.20.7851.6100

Guillermo Christensen

P: +1.202.536.1730

F: +1.202.536.1701

Mark A. Lubbock

P: +44.207.851.6062

F: +44.207.851.6100