01 April, 2020
The Supreme Court has today ruled in favour of Morrisons Supermarkets in relation to a large data breach claim, brought by a group of employees whose personal information had been posted online by a disgruntled employee.
The employee, Andrew Skelton, was a member of Morrisons Internal Audit Team who had been tasked with transmitting the payroll data of the entire workforce to external auditors. Following a verbal warning for minor misconduct, the employee uploaded the payroll data file to a publicly accessible file sharing website. The employee also sent the file to three national newspapers, claiming he was a concerned individual who had found the information online. One of the newspapers contacted Morrison's who conducted an investigation and informed the police. Following an investigation by the police and the Information Commissioner's Office, the employee was prosecuted and sentenced to 8 years in prison.
The file uploaded online contained the personal data of nearly 100,000 members of staff and potentially placed them at risk of identity fraud. A claim for compensation was subsequently brought by a number of affected employees against Morrison's for breach of the Data Protection Act 1998, misuse of private information and breach of confidence.
At an earlier stage of the legal process, the Court of Appeal decided that Morrison's was vicariously liable for the actions of the employee. However, this decision has today been overturned by the Supreme Court who have ruled in favour of Morrison's.
In the judgment, the Supreme Court stated "…no vicarious liability arises in the present case. Skelton was authorised to transmit the payroll data to the auditors. His wrongful disclosure of the data was not so closely connected with that task that it can fairly and properly be regarded as made by Skelton while acting in the ordinary course of his employment. On long-established principles, the fact that his employment gave him the opportunity to commit the wrongful act is not sufficient to warrant the imposition of vicarious liability. An employer is not normally vicariously liable where the employee was not engaged in furthering his employer's business, but rather was pursuing a personal vendetta."
This judgment will provide some comfort for employers. If the Supreme Court had found that Morrison's was vicariously liable for the acts of a rogue employee it would have exposed organisations to serious financial consequences as a result of a rogue employee's conduct.
Whilst not vicariously liable for the actions of a rogue employee, this does not relieve organisations of their duties under the General Data Protection Regulation (GDPR) to have appropriate technical and organisational measures in place to protect personal data from unauthorised use or access. This may include security measures (e.g. to prevent information being transferred outside of the organisation, the prohibition of USB drives and file sharing sites and monitoring of IT systems to monitor suspicious activity), restrictions on access to personal data and adequate staff training. Failure to comply with the GDPR can result in fines of up to £17million or 4% of annual global turnover (whichever is higher), regardless of whether or not a claim for compensation is brought by affected individuals.
During the course of these legal proceedings, the courts have pointed out that Morrison's had in place robust technical and organisational measures to prevent the misuse of personal data. Had Morrison's not had these robust security measures in place, it may have faced a claim for primary liability (e.g. a claim that its own acts or failures caused the data breach) in addition to the vicarious liability claim.
The introduction of the GDPR made it easier for individuals (and groups of individuals e.g. affected employees) to bring claims for data breaches. Individuals can now claim compensation for distress or reputational damage arising from a loss of personal data even where there has been no financial loss. The removal of the need to show financial loss to bring a claim combined with the increased public awareness of data protection issues following the introduction of the GDPR, has seen a rise in such compensation claims.
The Morrison's judgment does not change this and organisations must continue to comply with the GDPR. The ability to bring claims for compensation for a data breach is still there particularly where there is a systemic failure in data protection compliance rather than the breach arising as a result of the actions of a rogue employee.
This judgment will provide reassurance to organisations who have implemented a robust data protection compliance programme which includes technical security measures to prevent unauthorised access or loss of personal data, policies and procedures to ensure the protection of personal data and an adequate training programme to ensure staff are aware of the need to protect personal data and the policies and procedures the organisation has implemented.
In the event of a data breach, organisations with a strong data protection compliance programme may be in a stronger position to argue that the cause of breach stemmed from a rogue employee who had deliberately failed to comply with the organisation's policies, procedures and training and therefore may have a defence to claims for compensation.
For more information contact Bethany Paliga in our Governance, Procurement & Information department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.