• wblogo
  • wblogo
  • wblogo

The Morrison appeal: what next for data security?

Sally French, Mourant Ozannes, Senior associate, Guernsey, 25 January 2019

articleimage

As readers know, the Wm Morrison Supermarkets 'data breach' case proved that threats to data security are internal as well as external. Every bank ought to beware the damage that one malicious employee might do, because it may be held vicariously liable for his actions.

We have already reported on the decision at first instance. Morrisons, as the firm often styles itself, has since appealed against it, but the outcome of that appeal is of little comfort for financial businesses. 'Data breach' is a European Union term that describes an event that makes personal data less 'secure' than before and leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the data.

The appeal

As someone in court explained: "The central issue of this appeal is whether, on the facts, an employer is liable in damages to those...whose personal and confidential information has been misused by being disclosed on the web by the criminal act of another employee, who had a grudge against the employer, in breach of the Data Protection Act 1998 (DPA) and in breach of that employee’s obligation of confidence."

The three grounds of appeal were:

  • that the DPA excludes vicarious liability;
  • that the DPA excludes the tort of misuse of private information and equitable action for breach of confidence and/or vicarious liability for such breaches; and
  • that it had been wrong to conclude that the wrongful acts of the rogue employee occurred during the course of his employment.

The DPA

The first and second grounds of appeal both concern the extent of the DPA.

In respect of the first ground, the Court of Appeal held that "it is clear [that] the vicarious liability of an employer for misuse of private information by an employee and for breach of confidence by an employee has not been excluded by the DPA."

In respect of the second ground, Morrisons conceded that misuses of private information and breaches of confidentiality were not excluded by the DPA in respect of the wrongful processing of data within the ambit of the DPA. There was no provision in the DPA to address the situation of an employer whose employee (serving as a data controller) breaches the requirements of the DPA. In view of Morrison's concession and in the absence of a relevant statutory provision, the court held that the DPA did not exclude (expressly or otherwise) the common law remedy of vicarious liability of the employer in circumstances where the common law requirements for such a liability were otherwise satisfied.

Acts in the course of employment

The leading Supreme Court authority on this point is another Morrisons case, Mohamud v Wm Morrison Supermarkets plc [2016] AC 667. That case set a two stage test:

“In the simplest terms, the court has to consider two matters. The first question is what functions or ‘field of activities’ have been entrusted by the employer to the employee, or, in everyday language, what was the nature of his job. Secondly, the court must decide whether there was sufficient connection between the position in which he was employed and his wrongful conduct to make it right for the employer to be held liable under the principle of social justice." (Lord Toulson.)

The Court of Appeal found the first question readily satisfied - the rogue employee was regularly entrusted with confidential data and the firm had commanded him to deal with that data.

On the second question, Morrisons' contention was that the "close connection test" [a vague rule laid down in Lister v Hesley Hall Ltd (House of Lords, 2001) that bestows vicarious liability on an employer if there is a close connection between the employee's paid work and his misdeeds] was not satisfied because the harmful act was done by the rogue employee at his home, using his own computer, on a Sunday, several weeks after he had downloaded the data at work onto a personal USB stick. The Court of Appeal found that what fell to be considered was whether the harmful acts fell "within the field of activities assigned to the employee,” and indeed concluded that they did. The judge at first instance had said that there had been a seamless and continuous sequence of events providing an unbroken thread linking the criminal acts to the rogue employee's employment; the Appeal Court approved of this.

Implications

The appeal judgment has not moved matters on a great deal from the decision at first instance. Neither judgment was critical of Morrisons' response to the data breach, but nevertheless neither judgment seeks to assist the business.

In a data protection context this is perhaps not surprising. The European Union's General Data Protection Regulation has made it clear that the interests of data subjects are paramount, regardless of the risks to private enterprise. The Court of Appeal sees insurance as the commercial solution for businesses.

A novel feature of this case in the context of vicarious liability was the rogue employee's clear intention to cause the employer harm. Morrisons argued that the court might become complicit in the furtherance of that purpose if they were to uphold its liability, but instead the court found motive to be irrelevant in matters concerning vicarious liability.

Nevertheless, the finding that a misuse of data, for the clear purpose of harming the employer, formed part of the field of activities assigned to an employee is fraught with difficulty. Morrisons are thought to be appealing to the Supreme Court. Watch this space!

* Sally French can be reached on +44 1481 739 341 or at sally.french@mourantozannes.com

Latest Comment and Analysis

Latest News

Award Winners

Most Read

More Stories

Latest Poll