There was no doubt jubilation at the head office of supermarket chain Wm Morrison this week, after the Supreme Court allowed its appeal against previous judgments that it was vicariously liable for the actions of a disgruntled employee who leaked the personal data of thousands of Morrisons staff.
Andrew Skelton, who is now serving an eight-year prison term for his crimes, took revenge on Morrisons after facing internal disciplinary action. He copied confidential data that he was supposed to be supplying to the firm’s external auditors and posted it on an underground forum while posing as a colleague. He then pretended to be a concerned member of the public and sent the data to three newspaper reporters.
At the core of the Supreme Court’s ruling, which can be read in full online, is the argument that an employer cannot be held vicariously liable for wrongs committed by its employees, and so Morrisons cannot be held vicariously liable for intentional breaches by an employee of duties imposed by the Data Protection Act 1998.
The court’s decision was broadly welcomed across the legal profession, as noted by Nicola Fulford, a privacy and cyber security partner at Hogan Lovells, and Matthew Gill of Wiggin LLP.
“The Supreme Court’s decision will be welcomed by companies, as they now know they are unlikely to be liable for damages following the deliberate act of a rogue employee where the disclosure is not within the ‘field of activities’ assigned to that employee,” said Fulford.
Gill added: “The Supreme Court’s decision should be welcomed by employers with a sigh of relief. If the court’s decision had gone the other way, Morrisons would have been liable to 100,000 of its employees for a breach of their data, despite Morrisons having done everything it reasonably could have to protect that data.
“Other employers would have faced an untenable risk that if they were hit by a similar theft of data by an employee, and would be left wholly exposed. It is right, as the Supreme Court has found, that employers should not be found liable for their employees’ actions in those circumstances.”
Adam Rose, a partner at The10Group, said that in deciding to side with Morrisons, the court had not given as much attention as one might expect to underlying data protection law, choosing rather to focus on general issues relating to vicarious liability.
Sigh of relief
Nevertheless, he said: “With this judgment, employers – and the insurance sector, which might have been asked to cover a lot of the risk – can breathe a sigh of relief that they will not be vulnerable to expensive claims arising from the unauthorised actions of rogue employees.
“They must still comply with the security requirements of GDPR [General Data Protection Regulation], but – as long as they have done so – they shouldn’t find themselves defending an action in which they were also arguably a victim.”
Mark Thomas, an employment and information law barrister at 5 Essex Court, said that had the appeal failed, Morrisons could have been hit with a huge damages bill – even a small award granted against the nearly 10,000 claimants could have seriously damaged its margins.
“This case also has wider implications for employers through the country,” said Thomas. “It means that if they adopt conscientious and careful data control and protection measures, then they can be relatively sure that they are protected against the legal consequences of vindictive data breaches. That will be a huge relief for data controllers and processors, who are coming to terms with the onerous data protection landscape following the introduction of GDPR.”
This view was echoed by Miriam Everett, global head of data privacy at Herbert Smith Freehills, who said that in a world where organisations can already be fined up to €20m or 4% of annual turnover for GDPR non-compliance, there had been fears that the Supreme Court could have ruled the other way, opening up the possibility of additional, significant liability under class action claims.
“Many organisations will be comforted by the steps that the court has now taken to reduce the likelihood of such claims being successful,” she said.
But the story does not end there, and the Supreme Court’s decision does not necessarily guarantee that organisations are protected against class actions, said Everett.
“The decision is no guarantee that similar claims would fail in circumstances where the regulator agrees that there has been a breach of the security requirements under the GDPR, such as has been the case when you look at some of the recent big data breaches we have seen, which are starting to result in significant fines from the ICO,” she said.
Thomas at 5 Essex Court added: “To be clear, whilst they may be protected against vindictive data breaches, companies and individuals that control and process data may still find themselves liable for inadvertent data breaches. The consequences of any such breaches can be financially and reputationally devastating.”
Thomas’ colleague Aaron Moss, who specialises in information law, said the verdict did not necessarily mean that employers cannot be held vicariously liable for breaches in future.
“Companies can be held responsible for the data protection breaches if their employees act unlawfully in the ordinary course of employment,” he said.
“Organisations whose employees process personal data – which is almost every private company and public authority – must make sure they have processes in place to mitigate the risk of data breaches by their employees.
“Otherwise, they could be held responsible for any breaches, alongside their employees. A prudent claimant will almost always go after the employer, not the employee – it is the employer who has deeper pockets.”
Matthew Felwick, class actions specialist and partner at Hogan Lovells, agreed, saying: “This decision will only be of limited comfort for companies that experience a data security breach. The court’s reluctance to totally exclude vicarious liability gives another potential tool to claimant lawyers, further increasing the already considerable risks of data class actions in the UK that companies face.
“We are seeing more and more actions brought by large groups of claimants for damages for the distress and anxiety caused by the misuse of personal data, irrespective of any actual financial loss, and this decision will do little to slow that trend.”
Julian Copeman, a partner in Herbert Smith Freehills’ disputes practice, argued that the verdict was merely a setback, not a roadblock, to future class action lawsuits over data breaches, and boardrooms should urgently consider what they need to do to plug leaks before they happen, in order to minimise this risk.
Copeman said: “Funders and claimant firms are looking to build class actions in relation to data breaches even where there is no specific evidence of individual damage. They are seeking damages for the whole class for ‘distress’ or a standardised claim of loss of access to data and even a nominal damages award per claimant could lead to a significant amount over a class of tens or hundreds of thousands.
“This judgment will not reverse that trend, but it will at least mean that companies who are themselves victims of data breaches by employees will not also face such claims on this basis alone.”