Landmark judgment in data protection action against Morrisons at High Court in UK

Supermarket giant Morrisons has been found vicariously liable for the actions of a rogue member of staff who stole the personal data of thousands of workers and posted it online in revenge for disciplinary action taken against him by the company.

On 1 December 2017, Mr Justice Langstaff at the High Court ruled that Morrisons was vicariously liable for the personal data breach that leaked their names, addresses, salaries, bank account details, national insurance and other sensitive personal data on line.

In July 2015, former internal auditor Andrew Skelton was found guilty at Bradford Crown Court of fraud, securing unauthorised access to computer material and disclosing personal data and jailed for eight years.

The trial heard that his motive appeared to have been a grudge over a previous incident where he was accused of dealing in legal highs at work.

Now a group action of 5,518 former and current members of staff are seeking millions in compensation against Morrisons. If this action succeeds, it will open the door for the other 94,480 individuals affected to also seek financial compensation.

Anya Proops QC argued that Morrisons shouldn’t be held vicariously liable for the massive personal data breach, but this failed to convince the High Court.

On the other hand, lawyers acting for the shop workers claimed the ruling was a landmark judgment in data protection laws in the UK.

Nick McAleenan of JMW Solicitors, said: “The High Court has ruled that Morrisons was legally responsible for the data leak. We welcome the judgment and believe that it’s a landmark decision, being the first data leak class action in the UK.”

The judge ruled that vicarious liability, but not primary liability, had been established but also granted Morrisons leave to appeal on the question of law. Mr Justice Langstaff held that the Data Protection Act 1998 (DPA) doesn’t impose primary liability upon Morrisons, that Morrisons hadn’t been proved to be at fault by breaking any of the data protection principles, save in one respect which wasn’t causative of any loss; and that neither primary liability for misuse of private information nor breach of confidentiality can be established.

“I reject, however, the arguments that the DPA upon a proper interpretation is such that no vicarious liability can be established, and that its terms are such as to exclude vicarious liability even in respect of actions for misuse of private information or breach of confidentiality.

“I grant leave to Morrisons to appeal my conclusion as to vicarious liability, should they wish to do so, so that a higher court may consider it, but would not, without further persuasion, grant permission to cross-appeal my conclusions as to primary liability.”

Anya Proops QC said it hadn’t been established that Morrisons fell short when it came to data security, and Skelton’s criminal disclosures couldn’t be said to have been affected in the “course of his employment”, so there could be no vicarious liability.

The novel issue of the extent to which an employer could be held liable under civil law in connection with the unauthorised, criminal misuse of third party data by an employee was of “huge importance” for all those who process personal data as a Data Controller, observed Anya Proops QC.

“This would obviously include not only commercial enterprises but also charities, governmental bodies, self-employed professionals, clubs, associations, non-governmental organisations and all manner of entities and persons who process data other than for domestic purposes.”

The hearing was only concerned with the issue of liability. If the judge’s ruling stands, the amount of any compensation will have to be assessed at a future date if not agreed.

Would the judgment be different under the GDPR?

What’s interesting is how this matter would be dealt with by the courts after the 25 May next year where the GDPR is fully enforceable across all 28 EU Member States.

The GDPR places a higher standard of data protection and security on the shoulders of the Data Controller and there’s less wriggle room for the legal arguments advanced by lawyers for Morrisons based on the facts of this case.

It’s clear that there’s a duty of care in law owed by the employer to their employees. What that means in practice is the employer must have organisational and technical measures in place that protect the personal data of their employees from falling into the wrong hands (Art.32, GDPR).

In addition, the employer needs to apply the data protection principle of Data Minimisation that’s well established in law (Art.5(1)(c), GDPR).

What this means is that in this case Morrisons should have ensured that not all employees working for it have access to the records of 100,000 individuals. This is commonly referred to as the Principle of Least Privilege (POLP) and in practical terms employees should only have access to personal data that they need in order to do their jobs, because of the risks of personal data being misused, stolen or hacked by a third party that could cause harm or damage to those individuals.

In July this year, 547,000 customer data records were stolen at Bupa by a rogue employee including name, dates of birth, nationalities and insurance membership numbers that could be used for spear-phishing and scams.

This type of vulnerability for companies and organisations is on the increase. The 2017 Data Breach Report, published by the Ponemon Institute, showed that the internal cost of a personal data breach amounts to £108 per record breach. This doesn’t take account of any sanctions, fines or compensation claims by those affected or the churn rate of customers and drop in share price which can multiply the real cost of the breach by a factor of five times the internal cost.

Although companies and organisations are getting better at using technology to stop phishing attacks, they shouldn’t delay in stepping up vetting procedures of potential employees as criminals often implant people to steal information from within the company or organisation.

For information about the GDPR Transition Programme at Henley Business School, click here.

Leave a reply