Morrisons vicariously liable in damages to over 5000 employees for data breach
Key Contact: Rem Noormohammed
Author: Rebecca Mahon
UPDATE: This case had its judgement overturned by the Supreme Court in April 2020. Read about it here.
The supermarket Morrisons has lost its appeal against a judgment which ordered it to pay damages to 5518 employees who took action against the company after the security of their personal data was compromised. The personal data of 99,998 employees was stolen by a former employee and uploaded to a file sharing website. This case was brought before the implementation of the GDPR/DPA 2018 and as such, one can expect an even more stringent approach from the courts in future cases under the new regulations. It is reported that the case has cost Morrisons over £2 million already. With damages awards for data protection cases normally being a minimum of £750, the compensation bill for Morrisons is likely to exceed £4 million for the employees who have taken action to date. Now imagine if all 99,998 employees were to take action, the potential claims would be closer to £75 million – plus legal/administrative costs. And that is if the employees only receive the most basic of awards… Now imagine if this case was brought following the implementation of GDPR?
In the frenzy of activity leading up to 25 May 2018 (when GDPR took legal effect in the UK), many businesses dutifully undertook the steps that the GDPR and Data Protection Act 2018 required of them. They ticked the boxes – updated their contracts and policies, issued privacy notices, and in some cases thought that would be the end of it.
As this milestone has passed and senior management teams revert back to the familiar modes of ‘business as usual’, it would seem that the imperative for some has dissipated, drifting down the list of priorities. Perhaps your business is one that falls into this category? If so, then it may be time to stop, think again, and re-prioritise! Remember GDPR was never intended to be a short sprint but rather a long marathon with additional hurdles of accountability, responsibility, compliance duties and governance regimes, deliberately designed for you to continuously overcome.
Facts in the Morrisons Case
- A senior IT internal auditor (Mr Skelton) was employed by the supermarket ‘Morrisons’;
- Mr Skelton had a verbal warning on his file concerning personal use of the company’s postal facilities, but was otherwise a good employee;
- Mr Skelton was asked to provide KPMG with various data relating to Morrisons’ employees in order for KPMG to carry out an external audit;
- Mr Skelton was given an encrypted memory stick containing the personal data of 99,998 employees. He downloaded this data onto his work computer (which was also encrypted), and copied it on to another encrypted memory stick provided by KPMG;
- The data remained on Mr Skelton’s computer and Mr Skelton copied this data onto a personal memory stick;
- Mr Skelton shared this data online – he was subsequently sentenced to 8 years in prison.
Morrisons have been held vicariously liable in damages to 5518 employees whose data was stolen and who have taken action against Morrisons on these facts. The Court of Appeal upheld the High Court Judge’s conclusion that there was sufficient connection between the position in which Mr Skelton was employed and his wrongful conduct, put into the position of handling and disclosing the data as he was by Morrisons, to make it right for Morrisons to be held vicariously liable. Furthermore, the Court of Appeal affirmed the High Court Judge’s conclusion that there was no implied exclusion of the prospect of vicarious liability under the Data Protection Act 1998 or under the common law/equitable causes of action, as Morrisons sought to argue.
Alarmingly, in reaching its conclusion that Morrisons was not directly liable for the disclosure, the High Court Judge concluded that Morrisons did breach ‘DPP 7’ – i.e. the 7th data protection principle under the Data Protection Act 1998 (relating to information security).
The Basis of the Argument
The crux of the argument? Morrisons did not check that Mr Skelton had deleted the data once he had provided it to KPMG. The High Court Judge found that there was no organised system for the deletion of data…To the extent that there was no failsafe system in respect of it… Morrisons fell short of the requirements of DPP 7.
It is of note that Morrisons put forward (as part of their defence) that holding it vicariously liable, when there are potentially nearly 100,000 prospective claimants, would be a ‘Doomsday’ event for the company, and would set a dangerous precedent for other innocent employers in future cases. On this point, the court concluded that businesses should insure against these risks, stating: The fact of a defendant being insured is not a reason for imposing liability, but the availability of insurance is a valid answer to the Doomsday or Armageddon arguments put forward by…Morrisons.
What this means for the businesses in the future
It is a troubling conclusion for businesses. From an employment perspective, you are supposed to trust your employees. However, one of the biggest threats to data security, and as evidenced by this case, is the so-called ‘threat from within’. This places an enormous and undefined burden on employers – at what point is your duty to check up on your employees discharged? How do you ensure that your employees are handling personal data properly without being overbearing? It is a balancing act that pursuant to this judgment, businesses will have to get to grips with.
Of course, irrespective of the liability or fines that can be placed upon you, by the courts and/or the Information Commissioners Office, businesses that handle vast amounts of customer and/or employee data or who do so as part of their core or outsourced business activities should also consider with care the adverse impact on their brand value and/or reputation.
Again, remember that GDPR was always intended to be an overhaul to the way businesses control, handle and process information relating to natural individuals, who can be identified or are identifiable from such information or in combination with other information. Whether you operate as a data controller or data processor.
It is quite clear from this case that the Court of Appeal has adopted a view that the standard required of your systems when it comes to protecting personal data is that they are ‘failsafe‘.
It is vitally important, therefore, that you, your staff and supply chain fully understand the roles, responsibilities, and duties that arise from your day-to-day operational activities and practices. It is incumbent upon you and your business to continuously monitor and employ the relevant measures, processes and workflows to properly assess and mitigate the real risks associated with the way you decide to control and process personal data. Ultimately it will come down to whether you comply (or not) with GDPR and the Data Protection Act 2018.
So, do you still feel confident that your business is/will continue to control and process personal data securely and compliantly? Are you confident that you have adequate technical or organisational measures in place to prevent the unauthorised disclosure of personal data, in accordance with the ‘security principle’ laid down in the GDPR? Are you ‘failsafe’?
How we can help
- Legal Advisory: Data privacy, protection and security law advice – strategic and day-to-day;
- Audit Tools: As part of Acuity Reputation Management, we can help you to identify, prioritise and tackle areas of risk;
- Contract Health Check and Drafting for Legal Compliance: Review of your contracts and employment policies and procedures (internally facing) as well as your commercial documents (externally facing: supply chain and end user / customer facing contracts);
- Template Employment Documents: Tailorable HR and employment documents which set expectations with regard to employee conduct;
- Internal training: On the GDPR/Data Protection Act 2018 for managers and the board.