LawFlash

UK Court of Appeal: Employers Are Liable for Employee Data Breaches

October 24, 2018

The UK Court of Appeal recently upheld a decision by the UK High Court ruling that employers can be vicariously liable for an employee’s misuse of personal data under the control of the employer. Employers should also be aware that the case involved the UK’s first instance of a group litigation order being used for a data breach.

In December 2017, the UK High Court held for the first time that an employer could be vicariously liable for an employee’s misuse of personal data for which the employer was responsible. The case, Various Claimants v. WM Morrisons Supermarket PLC, is also the first example of a group litigation order being used for a data breach in the United Kingdom, potentially marking a new risk for employers at a time when the spotlight is on data protection obligations under the EU General Data Protection Regulation (GDPR), which came into force on 25 May 2018.

Given the groundbreaking nature of the case, the High Court granted Morrisons permission to appeal. In a hearing that began 9 October 2018, the Court of Appeal ultimately upheld the decision of the High Court and confirmed that the Data Protection Act 1998 (DPA) does not protect an employer from breaches by a rogue employee.

Background

Andrew Skelton was a senior IT auditor employed by Morrisons and had been involved in a project involving payroll data. He had previously been disciplined for misconduct. In 2014, Mr. Skelton copied the personal information of around 100,000 employees onto a USB drive and published it on the dark web. He subsequently sent the data to various newspapers. Mr. Skelton was convicted of offences under the Computer Misuse Act 1990 and the DPA, and is currently serving a term of eight years in prison. There was no substantive allegation that Morrisons had breached its obligations as the data controller to protect this personal data. The claimants in the current case were a group of more than 5,500 Morrisons employees affected by the data leak. There is no suggestion that they suffered financial harm or damages. They sought compensation from Morrisons for breach of the DPA, as well as common law claims for the tort of misuse of private information and an equitable claim for breach of confidence. The claimants alleged both a direct breach of the DPA by Morrisons for failing to protect their data and that Morrisons was vicariously liable for the actions of Mr. Skelton.

High Court Decision

Morrisons, as the employer, is ordinarily regarded as the data controller of its employees’ data. It determines how the data is used for its own purposes. Morrisons argued that in relation to Mr. Skelton’s unlawful and unauthorised disclosure of the payroll data, Morrisons was not the data controller responsible for the misuse of the data, and that Mr. Skelton was a data controller in his own right. As such, he, not it, should be found liable for breaching the DPA. The High Court rejected the direct breach claim since Morrisons was not the “data controller” (as defined in the DPA) at the relevant time with respect to the data breach. It did, however, find that Mr. Skelton became a data controller in his own right at the time he misused the data for his own purposes.

The High Court found that Morrisons did have proper control mechanisms in place to protect employees’ personal data. There was no finding that Morrisons had breached the DPA in its systems of control and security processes to keep the personal data secure (there was a finding of one minor breach of the DPA, which did not give rise to any loss to the claimants). This is an important finding for Morrisons, as it means it was not directly liable for breaching its obligations to protect the employees’ data under the DPA. The High Court, however, found in favour of the claimants with respect to the vicarious liability claim. This finding means that employers can still be liable—even where they had correct policies and procedures in place to train employees and to protect personal data—because of the actions of rogue employees.

The High Court held that the DPA does not exclude the possibility of vicarious liability and that an employer can be vicariously liable for the actions of employees in relation to data breaches. In the current case, the High Court held that there was a sufficient connection between Mr. Skelton’s employment and the wrongful conduct to hold Morrisons liable. The High Court found that “there was an unbroken thread that linked his work to the disclosure: what happened was a seamless and continuous sequence of events,” even though the disclosure itself did not occur on a company computer or during working hours.

Since the High Court decision, both the GDPR and the new UK Data Protection Act 2018 have come into force, but they do not change either the basis of controller liability for data breaches or the principles of vicarious liability.

Appeal Decision

The Court of Appeal upheld the High Court’s decision that the DPA does not expressly or impliedly exclude the possibility of vicarious liability. Morrisons argued that the DPA does not allow for employers to be held vicariously liable for deliberate breaches committed by workers, where the sole motive is to harm the employer rather than for personal gain. Nevertheless, the Court of Appeal held that motive is irrelevant in such circumstances and that the solution is for employers to “insure against such catastrophes.”

What Next for Employers?

The decision is significant for all organisations that handle personal data. It demonstrates that even where an employer has done everything it reasonably can to prevent employees misusing personal data, and is not itself legally at fault for breaching technical and organisational security breaches under the DPA, it may nevertheless be vicariously liable for the actions of those employees. The judgment also illustrates the broad approach given to the “close connection” between employers and employees test. Employers should therefore be alert to potential liabilities in this area and review employee monitoring practices as well as recruitment and training measures. Employers should also consider the option of insuring against such possibilities.

The case also represents the first instance of group litigation being brought against a data controller in relation to data protection. Such class actions are common in the United States and this case indicates a greater trend towards class actions in the English legal system.

The GDPR can give rise to significant liabilities of up to 4% of global turnover or 2 million euros, whichever is higher, for data breaches. It remains to be seen how the data protection authorities and/or courts will apply this vicarious liability approach to such stringent fines.

What more can employers do to protect themselves against being found vicariously liable for the acts of their employees where there is no suggestion that they have breached their obligations to have “appropriate technical and organisational security measures” in place to protect their data? The claimants suggested that Morrisons should have monitored Mr. Skelton’s conduct following a prior disciplinary hearing, after which it is believed that he became disgruntled with his employer. Clearly, this raises privacy issues in itself as employers need to have good reason to conduct monitoring of their employees, and must do so in a manner that is proportionate to the concern for and mindful of their privacy rights. A general conclusion that all disciplined employees need to be monitored is unlikely to be a sufficient reason to conduct specific monitoring of those employees. Technological solutions such as controls over the downloading of data to USB drives in an authorised manner and audits of the location of such USB drives where downloaded data has been authorised are entirely reasonable in the current environment of data breach risks. Automatically raising red flags for certain internet searches may also be a solution, and in this case could have alerted Morrisons that Mr. Skelton was researching how to conceal his identity using The Onion Router (TOR).

The case underlines the importance of robust recruitment and screening procedures as well as having a “speak up” workplace culture in place, which may have enabled other employees to raise concerns about Mr. Skelton’s conduct.

Contacts

If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:

London
Matthew Howse

Paris
Charles Dauthier

Frankfurt
Walter Ahrens

Brussels
Christina Renner

Philadelphia
Gregory T. Parks

San Francisco
W. Reece Hirsch