Morrisons in the Supreme Court: data breach implications for D&Os
WM Morrison Supermarkets plc v Various Claimants [01.04.20]
This article was co-authored by Jenny Chapman, Solicitor Apprentice.
On 1 April 2020, the Supreme Court held that Morrisons was not vicariously liable for an extensive data breach intentionally caused by a disgruntled employee.
The judgment will be a very welcome decision for businesses, however, the outcome will unlikely mean an end to data breach group litigation in the UK and the associated risk posed to corporates, D&Os and their insurers.
Mr Skelton was a senior auditor in Morrisons’ internal audit team. In July 2013, Mr Skelton was subject to disciplinary proceedings for minor misconduct and was given a verbal warning.
Following those proceedings, and in the context of an annual external audit, Mr Skelton was given access to the payroll data relating to the whole of Morrisons’ workforce.
On 12 January 2014, Mr Skelton uploaded a file containing the payroll data of 98,998 Morrisons’ employees to a publicly accessible website. Mr Skelton also sent CDs containing the file anonymously to three UK newspapers.
Morrisons acted quickly and Mr Skelton was subsequently sentenced to eight years imprisonment for offences under the Computer Misuse Act 1990 and the Data Protection Act 1998.
However, 9,263 employees whose data had been leaked by Mr Skelton, brought a claim against Morrisons for ‘distress, anxiety, upset and damage’ on the basis that Morrisons should be vicariously liable for Mr Skelton’s actions.
The Supreme Court decision
In a nutshell, they key questions before the Supreme Court were whether Morrisons was vicariously liable for Mr Skelton’s actions and if so, whether the Data Protection Act excludes vicarious liability.
The Supreme Court found unanimously in favour of Morrisons. The Court held that, just because Mr Skelton’s employment gave him the opportunity to disclose the data, did not mean that Morrisons should be held vicariously liable for him doing so. In other words, the wrongful act and Mr Skelton’s scope of work as a data controller were not sufficiently connected: ‘In the present case, it was clear that Mr Skelton was not engaged in furthering his employer’s business when he committed the wrongdoing. On the contrary, he was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings some months earlier.’
The Court also held that vicarious lability was not excluded by the Data Protection Act.
This decision is good news: it confirms that employers will not be responsible for an employee who acts outside his/her scope of duties for pure personal reasons.
However, corporates and their directors should not view this decision with complete optimism. Claims for data breach in the UK are becoming more prevalent, litigation funders and claimant firms are seemingly targeting victims of data breaches to build group actions and responsibility for complying with GDPR falls on directors.
Directors need to ensure that cyber protection for their companies is actively kept under review. There needs to adequate technology, training, monitoring of risks, as well as processes in place to mitigate cyber risk in the event of an attack. With an increased number of people working from home and more commonly working on personal equipment in an outside office environment, data breach and cyber-attacks are more likely. This means that up to date policies and contingency planning are of paramount importance.
Proactive risk management for data breach and cyber related incidents is essential. This is even more so given the level of fines that can be imposed for GDPR non-compliance (EUR 200 million or 4% annual worldwide turnover), the possibility of opt-out GDPR litigation as raised in the UK Government Consultation in 2020 and as the Lloyd v Google Court of Appeal decision in October 2019 (see our previous article) seemingly paved the way for US-style group litigation for data breach claims.
We also expect to see cyber related securities claims pursued by investors arising from lack of preparedness for data breach and cyber-attacks and/or misleading statements by D&Os as to true impact of such events on the business as well as claims related to associated reputational damage.
Whilst the Morrison decision means corporates and their D&Os cannot be held responsible for the actions of a rogue employee, cyber risk remains a real and significant concern to D&Os. D&O insurers will therefore continue to remain in the spotlight in this challenging area.