Employers can be vicariously liable for data breaches

The Court of Appeal has upheld the decision of the High Court that WM Morrison Supermarkets plc (“Morrisons”), as employer, are vicariously liable for the actions of an ex-employee who disclosed the personal information of around 100,000 colleagues online.

Background

In 2014, S (who was, at the time, the senior internal auditor at Morrisons’ headquarters) leaked payroll data in respect of Morrisons’ employees via a file sharing website, and also sent copies to the press. This followed him receiving a formal verbal warning in respect of his conduct.

The breach was reported to Morrisons immediately by the press without being published, and in 2015, following a criminal trial, S was jailed for eight years after being found guilty of fraud, securing unauthorised access to computer material and also of disclosing personal data.

The civil case, Various Claimants v Morrisons (2017) (the “Claim”) was brought by 5000 current and former employees of Morrisons. The Claimants sought compensation from Morrisons, claiming that it was responsible for breaches of privacy, confidence and data protection laws, and that, as a result, the data leak exposed them to a risk of identity theft and potential financial loss. The Claimants argued that Morrisons were primarily liable for its own actions and omissions, as well as vicariously liable for the acts of S.

High Court

The High Court rejected the Claimants’ argument that Morrisons were primarily liable for the data breach. Whilst it was accepted that Morrisons failed to ensure that S deleted the confidential information from his computer, the High Court held that this failure did not cause or contribute to the disclosure of information.

In respect of vicarious liability, the High Court focused on the extent to which S’s actions were connected to his employment. It was found that there was a sufficient connection so as to make Morrisons vicariously liable for S’s conduct, irrespective of S’s motive for committing the breach. There was a seamless and continuous sequence of events that linked S’s employment to the disclosure, namely that the act of disclosing the data to a third party was closely related to the task that S had been instructed to do (i.e. to download the data from a memory stick to his computer and then send a copy to Morrisons’ external auditors, a third party).

Morrisons were granted the right to appeal.

Court of Appeal

The Court of Appeal unanimously upheld the decision of the High Court, entirely agreeing that S’s actions were “an unbroken chain of events” that sufficiently linked his conduct to his employment.

Morrisons’ lawyer argued that the purpose of S’s actions were to cause harm to his employer, and to impose vicarious liability upon the company would, in effect, render the Court an assistant in furthering S’s criminal aim. However, the Court reiterated that the motive was irrelevant – it did not matter whether the breach was committed for personal gain or for reputational damage. The Court suggested that if a finding of vicarious liability would lead to a company having to pay significant compensation, then that company should ensure that it has adequate insurance to cover such risk.

As a result of this judgment, Morrisons may be required to pay compensation to the Claimants, albeit, the Claimants will each need to prove that they have actually suffered loss or harm as a result of the breach to be eligible for compensation.

Morrisons have confirmed that they will be appealing to the Supreme Court and therefore, for the time being, it is a case of ‘watch this space’.

Impact on schools

This is the first case in which vicarious liability has been applied to a data breach, and it highlights the recent trend of employers being held vicariously liable for the actions of their employees, where those actions are sufficiently connected to their role. Schools, as employers, need to be mindful that they may be held responsible for the actions of their staff. The case of ABC v West Heath 2000 Limited (2015), where a school was found vicariously liable for the sexual abuse committed by a member of staff against a pupil, provides a salutary example of this.

As with all employers, schools should ensure that they have adequate processes and procedures in place to vet new employees, and that sufficient supervision is implemented, particularly in regards to the use of personal data. Schools should take steps to ensure that they are complying with the GDPR and the Data Protection Act 2018 and to seek advice or refresher training if there are concerns. Given the Court’s comments, schools may also wish to assess their insurance policies to ensure that they appropriately cover the risk presented by “rogue” employees.

There are, however, inevitable challenges in dealing with staff who are intent on causing damage and it will be interesting to see what further guidance is forthcoming from the Supreme Court in the event of an appeal.