Morrisons found vicariously liable for mass data breach caused by employee
Published on 1st Dec 2017
In a judgment handed down on 1 December 2017, Morrisons has been found vicariously liable for the act of one of its employees, who posted personal data of 100,000 other employees on a file-sharing website.
This decision has significant implications for businesses that find themselves the victims of data breaches perpetrated by employees. This type of mass claim, brought in this case by 5,518 employees, is likely to become increasingly common when the General Data Protection Regulation (GDPR) comes into effect in May 2018.
What was the claim about?
In March 2014, it came to Morrisons’ attention that a file containing personal data relating to 99,998 employees had been posted to a file-sharing website. The file contained information including names, dates of birth, addresses, national insurance numbers, and bank sort codes and account numbers. It soon became apparent that the file was posted by a senior IT auditor, who had access to the data when he was tasked with delivering it to Morrisons’ external auditors on a USB stick. The individual had been harbouring a grudge against Morrisons stemming from a previous disciplinary issue, and took the opportunity to copy the data from the USB stick and post it online. The individual was arrested and subsequently convicted for eight years for offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (DPA).
The claim was subsequently brought by 5,518 of the employees whose data had been included in the file.
The employees alleged that Morrisons was:
- Directly liable, for breach of statutory duty (under section 4(4) of the DPA) and under common law (for misuse of personal data and breach of confidence); and/or
- Vicariously liable for the actions of its employee (the IT auditor).
Under the claims for breach of statutory duty, the employees argued that Morrisons remained the data controller at all times and the uploading of the file breached various principles as to the processing of personal data. They also argued that Morrisons failed to take appropriate technical and oranisational measures to prevent the unauthorised or unlawful processing of their personal data (a separate principle under the DPA).
What did the court decide?
The judge found that Morrisons was not directly liable for the data breaches. The judge distinguished between the original set of data that Morrisons held and the copy of the data created by the employee. Whilst Morrisons remained the data controller for the original set of data, when it was copied, the employee became the data controller in relation to that data. The misuse of that data, which was clearly in breach of the DPA, was attributable to him, rather than Morrisons. A finding to the contrary, the judge considered, would in effect impose a strict or absolute liability on a company for any data that it possesses. This was not the statutory intention. For similar reasons, the judge also found that Morrisons was not liable under common law, since the actions were not attributable to it.
The judge then considered whether Morrisons had taken appropriate technical and organisational measures to prevent the unauthorised or unlawful processing of personal data. The findings on this part of the claim were very much more fact dependent. The judge found that the USB stick had been encrypted and that the transmission of the data in this way was not unreasonable. Although the employee had been subject to prior disciplinary proceedings, these were of a ‘first warning’ nature and unrelated to the data breach: it was not, therefore, inappropriate to entrust him with the task of delivering the data. Taking these and other factors into account, the judge found that Morrisons had taken appropriate technical and organisational measures.
The question whether Morrisons was vicariously liable for the employee’s actions came down to a consideration of whether his actions were ‘sufficiently closely connected’ to his role at Morrisons.
In arguing that the connection was not sufficiently close in this case, Morrisons relied on the fact that the act of uploading the personal data had taken place outside of work premises, from a personal computer that was not used for work, and outside of working hours (on a Sunday). Morrisons also argued that vicarious liability applies to acts that are in some way in furtherance of the aims of the employer, whereas in this case the actions were aimed against the employer, as an act of personal retribution.
The judge disagreed with these arguments, finding that:
- Although the act of uploading the file had taken place outside work hours and premises, there was “an unbroken thread that linked his work to the disclosure: what happened was a seamless and continuous sequence of events”.
- It was relevant that the individual had been entrusted with the data, not merely given access rights to it. His task was to store the data and disclose it to a third party. What he had done was not what he was authorised to do, but was closely related to the task he was entrusted to perform.
- Whilst it was true that the employee’s intention was to damage Morrisons, his direct method of doing that was to release the personal data of a large number of employees: it was them that he harmed directly. As the judge put it: “The issue is not so much at whom the conduct was aimed, but rather upon whose shoulders it is just for the loss to fall.”
One further argument that Morrisons raised appeared to cause the judge more difficulty. Morissons argued that, as the employee’s actions were an act of retribution designed to damage Morrisons, if the court imposed vicarious liability on Morrisons, this would be essentially assisting that criminal intention. The judge did not consider that this was reason enough not to find Morrisons vicariously liable, but did grant leave to appeal the finding of vicarious liability. It remains to be seen whether Morrisons pursues that appeal.
Osborne Clarke comment
Whilst the data breaches that grab the headlines are often those involving sophisticated attacks by unknown third parties, as this case illustrates, a significant proportion of breaches are actually caused by error or malicious actions by employees or ex-employees. Even ‘hygiene-level’ data security steps can prevent many of these types of breaches.
Businesses will be reassured by the finding that Morrisons was not directly liable for the actions of its employee. As the judge explained, to find otherwise would be to impose strict or absolute liability that the legislation is not intended to impose. Instead, this case confirms that liability will be limited to instances where the data breach is sufficiently connected to the individual’s employment. Importantly, the judge’s findings seem to indicate that simply having access to data will not be sufficient to satisfy this test – there must be a closer connection to the task assigned to the individual.
With data security incidents continuing to grow in frequency and seriousness, this case also illustrates a growing trend of group claims by data subjects affected. This trend is only set to increase further once the GDPR comes into effect in May 2018.