Leaving aside the Brexit debacle, something that is keeping many employers awake at night these days is the risk of data loss and consequential liability. The introduction of the GDPR in May of this year has (rightly) concentrated minds on this area, and a salutory decision of the Court of Appeal in WM Morrison Supermarkets Plc v Various Claimants on 22 October 2018 is not going to provide much comfort in that respect. It has significant consequences for all employers whose employees have access to important data.
This is the case in which Morrisons had employed as a senior IT internal auditor, a Mr Andrew Skelton, who they had to discipline for unauthorised use of their postal facilities. Skelton was seriously unhappy about that, and he harboured a grudge against the Company as a result. He took it upon himself to load on to a personal USB all of the Company’s payroll data. Included, were details of almost 100,000 employees’ bank accounts, salaries and other information. This, he transferred on to a file sharing website, and he then (anonymously) sent a CD with a copy of the data to three national newspapers. He gave them a link to the file sharing website.
Skelton was later arrested and prosecuted before Bradford Crown Court. He was convicted for fraud, and for breaches of the Computer Misuse Act and the Data Protection Act. He was sentenced to a term of 8 years imprisonment.
In separate civil proceedings, over 5,000 employees sued Morrisons for misuse of private information, for breach of confidence and breach of statutory duty under the Data Protection Act. For the most part, Morrisons themselves were not at fault as regards the data disclosure. But the Judge did find them to be vicariously liable for the actions of their rogue employee. In other words Morrisons were held liable for the actions of Skelton as an employee of theirs acting in the course of his employment. Given the number of claimants in this case (5,518) this finding was very serious indeed. Unsurprisingly, Morrisons appealed and the Court of Appeal has now handed down its Judgment. They decided the Judge was right to find Morrisons liable for the actions of their rogue employee.
The case is therefore now of significant importance to all employers who have employees who are, as part of their job, asked to handle data of this kind. It provides a stark reminder of the real and unavoidable risks they run in recruiting employees in this category.
Morrisons tried to argue that the legal obligations they were under should be qualified. In this respect they should be required to do (only) what was “appropriate or reasonable”. The duty should not be one of strict liability (when the question of “fault” was not relevant, as is the case with vicarious liability), but rather a lesser obligation to take “reasonable steps” to ensure the reliability of their employee. For Morrisons, it was not the purpose of the Data Protection Act to impose a disproportionate burden on employers.
These arguments were, however, roundly rejected by the Court of Appeal. They could see no reason why the concept of vicarious liability should not apply to the Data Protection Act. The Court looked at a number of authorities on the subject of vicarious liability and agreed with the conclusion reached by Lord Toulson in an earlier case (ironically also involving Morrisons) that “the risk of an employee misusing his position is one of life’s unavoidable facts ..”
So in the present case, the Court of Appeal said that Morrisons had deliberately entrusted Mr Skelton with the payroll data. As a result they assumed the risk that they might be wrong in placing that trust in him. Skelton’s act in sending the data to third parties was within the field of activities that had been assigned to him. Skelton may have caused the damage by sitting at home (rather than being “at work”), using his own computer (not his Employer’s), and he may have been engaged in doing the nefarious acts on a Sunday (rather than during the working week), but there was nonetheless sufficient connection (the relevant test) between what he did and his employment, such that his employers were correctly found to be vicariously liable.
That may sound like a tough decision from an employer perspective, but where does that leave us now? The only real answer, it seems, is to insure. That is indeed the specific conclusion that the Court of Appeal itself reached. In predicting, one supposes, an element of controversy to follow publication of their decision, they said right at the end of their Judgment “the availability of insurance is a valid answer to the Doomsday or Armageddon arguments put forward by [Morrisons’ Counsel]”.
Unfortunately, quite what that insurance is going to be is a bit of a moot point at the current time. This was not addressed by the Court. Doubtless it will include, in particular, specific cyber insurance, but it may also be possible to obtain cover through other policies. Certainly, employers must now clarify with their insurers right now whether they will be covered in the event that an employee of theirs acts in breach of their data protection obligations. Given that many companies are asking that question at the current time, one supposes the market for such insurance will become more refined over the next few weeks and months.
That is, unless Morrisons are able to overturn the Court of Appeal’s decision. To no one’s great surprise, they have confirmed they do plan to appeal to the Supreme Court. Even if they do, it will be a considerable time before the case comes to be heard.
In the meantime, it seems that Morrisons themselves may harbour a “grudge” of sorts. After the Court of Appeal issued their Judgment, a spokesman on their behalf pointed out that they have not been blamed by the Court for the way in which they had protected their colleagues’ data. Rather they had been held responsible for the actions of a former (rogue) employee, even though those actions had been found to be criminal. Furthermore the criminal actions had been specifically targeted at the Company. They were not for the benefit of the criminal or anyone else for that matter. Yet to add insult to injury, the Company had then itself been sued by its other employees, notwithstanding Morrisons (unlike their errant employee Mr Skelton) were not directly responsible for the acts that had caused the damage, and indeed were one of Skelton’s other “victims”. Indeed this was one reason why the original judge had been nervous about his decision, because in one way it could be said that the Court itself was now an accessory in furthering Skelton’s criminal aims.
It seems data protection, perhaps like the Brexit process itself, is subject to the law of unintended consequences …