The Morrisons data protection case in detail
Sally French, Mourant Ozannes, Senior Associate, Guernsey, 22 February 2018
Nobody discussed this important case at WealthBriefing's GDPR conference in London yesterday, so this analysis is a timely reminder to financial institutions about their present and future liabilities in the face of rogue employees who mishandle the personal data they are supposed to be processing on behalf of HNW clients.
I and my colleagues have noticed that financial firms are paying more and more attention to data security and the ways in which they manage personal data. With the advent of the European Union's General Data Protection Regulation, and complimentary legislation being introduced in Guernsey and Jersey, this is only natural. Their worries on this subject have been exacerbated by breaches in cyber security.
Data protection litigation, meanwhile, is dominated by a case that features a worrying combination of data protection and data security issues: the recent class action against Morrisons Supermarkets in the UK. Commercially speaking, the case is a reminder that virtually all businesses hold some personal data. In this instance, the issue was employee payroll data. The case also reminded us that threats to data security can be internal as well as external. The case concerned an intentional data leak perpetrated by a Morrisons' employee. On the legal side of things, the case was the first class action in the UK for a data security breach. We can expect more. Morrisons was found to be vicariously liable; though no finding of fault was made against the retail firm, it was nevertheless held liable for the acts of its employee.
Skelton makes it
The case concerned the leaking of the personal payroll data of almost 100,000 Morrisons' employees. The leak was the result of deliberate, criminal action taken by a disgruntled Morrisons employee, Andrew Skelton, who leaked the data with the intention of damaging Morrisons.
Skelton's job at Morrisons was that of an information technology (IT) auditor. In the course of his duties he came, quite legitimately, into possession of the payroll details of more than 100,000 Morrisons employees for the purpose of transferring it from the firm's secure system to its auditors. Harbouring resentment from an earlier disciplinary incident, Skelton copied the data onto a personal USB (memory stick) which he then carried off the premises. He leaked that data some months later using a 'false account' (whatever that might be) that he created on a TOR anonymity network using his home computer.
On learning of the leak, Morrisons acted promptly to remove the data taken from public view as far as possible. It offered identity theft protection and compensation to anyone who had suffered fraud as a result of the leak and incurred costs in the region of £2 million as a consequence of the incident. During the subsequent court case, nobody ever accused Morrisons of taking inappropriate action, but the fact remains that 5,518 of its employees made a claim against it.
The legalities of liability
Primary liability claims, by which the plaintiffs tried to hold Morrisons liable for its own acts and omissions, failed. Morrisons was, however, held liable on the basis of secondary/vicarious liability. In other words, Morrisons was held accountable for the acts of its rogue employee.
Vicarious liability sees a faultless party held legally responsible for the wrongs of another. This can arise in several types of relationship but is especially common when an employer is found liable for the wrongful acts of an employee.
The imposition of vicarious liability on employers is an imperfect compromise. It seeks to balance the social interest of giving victims a remedy against a party with the means to pay, against the risk of burdening enterprise with undue costs. The cases show a preference towards the former.
There has been much debate about how far an employee must stray from the scope of his employment before the chain of liability that links him to his employer should break. Criminality is not enough of itself. As Lord Nichols of Birkenhead neatly surmised in Dubai Aluminium Co Ltd v Salaam [2003] 2AC 366: “...it is a fact of life, and therefore to be expected by those who carry on businesses, that sometimes their agents may exceed the bounds of their authority or even defy express instructions. It is fair to allocate risk of losses thus arising to the businesses rather than leave those wronged with a sole remedy, of doubtful value, against the individual employee who committed the wrong."
The test applied by the courts in deciding when an employer is vicariously liable for the act of their employees is whether the wrongful act has a “sufficiently close connection with the employment.”
The test is imprecise and depends on the facts of each case and the courts have admitted this.
Rogue email
As far as the facts of the Morrisons case were concerned, Skelton had taken deliberate steps with the clear intention of doing his employer harm. His actions were criminal and he is now serving a prison sentence as a consequence. By no means was he furthering, or trying to further, the aims of Morrisons. He had taken data and had then leaked it from his own non-work computer, outside his employer's premises, in his spare time outside working hours. Nevertheless, the court concluded that his rogue actions were sufficiently closely connected with his work to render Morrisons vicariously liable. Drawing upon the earlier criminal judgment against Mr Skelton, the court viewed his actions as "a seamless and continuous sequence of events" that made up an unbroken thread that linked the criminal acts to his employment.
The presiding judge, Mr Justice Langstaff, was troubled that Skelton had set out to injure Morrisons and also feared that to affix vicarious liability to Morrisons may render the court an accessory in the furtherance of Skelton's criminal aims. No previous case had gone so far as to hold an employer vicariously liable for acts intended to harm that employer, rather than acts from which the employer may be said to benefit. However, when the attack on the employer sees other persons suffer the collateral damage, in this instance having their personal data leaked, the court found it difficult to identify anybody else who might be in a position to compensate them. Morrisons does, however, have leave to appeal on this point.
Will Guernsey follow suit?
The widening snare of vicarious liability lies in wait for every enterprise and the Morrisons case is a useful illustration of how it can invade the world of data protection and data security. A supermarket may not seem to be the most obvious target for a data security attack but the case serves as a reminder that nearly all organisations hold a quantity of sensitive data.
The case is also notable for taking the form of a class action. On 25th May the GDPR will make it easier for people to make such claims and will provide them with a means of seeking redress which may not be available to them if they act alone. More litigation of this type is possible.
Class actions, as seen in the UK, are also available in Guernsey but not elsewhere in the British Isles. There is no law in Ireland to facilitate them, although multi-party or multi-plaintiff litigation does occur and often happens through representative actions and test cases. There is no mechanism for group litigation in the Royal Court of Jersey.
In the context of personal data, given Guernsey's adoption of the GDPR, it can be expected that the courts will uphold the principles to be found in Article 5. One of the points of that regime is to protect individuals' data privacy. One would therefore expect the Guernsey courts to give people access to compensation from an entity which may reasonably be expected to be adequately insured, perhaps by going as far as the English courts in Various Claimants v WM Morrisons Supermarket plc.
The Guernsey Financial Services Commission might also be expected to scrutinise any breach that concerns the sector it regulates.
* Sally French can be reached on +44 1481 739 341 or at sally.french@mourantozannes.com