In the case of Various Claimants v. Wm Morrison from December 2017, the High Court of England and Wales has held a company liable for a deliberate and massive data breach carried out by an employee, though the company itself was blameless, in line with the doctrine of vicarious liability (under which an employer must bear the consequences of torts committed by its workers in their employment).

Particularly against the background of concerns as to the level of administrative fines available under the GDPR (which the U.K. is implementing in domestic law), the decision raises the spectre of potentially crippling liability on organizations for data protection infractions; for this reason the case is now being taken to the Court of Appeal, and the outcome will be awaited with keen interest.

The facts of the case were that the defendant company, Wm Morrison (Morrisons), which owns a chain of supermarkets in Northern England, employed as one of its senior IT personnel a man named Skelton. Following an unrelated incident at work, which led to him receiving a (low-level) warning as to his future conduct, Skelton developed — in a way the Court accepted was unforeseeable — a grudge against his employer, which culminated in him abusing his position in the IT department to disclose the personal data of around 100,000 Morrisons’ staff, by posting it on the internet and sending it to a number of newspapers. The data in question included names, addresses, genders, dates of birth, phone numbers (home or mobile), national insurance numbers, bank sort codes and account numbers, and salary details. Though Skelton sought to disguise his identity as the source of the breach, he was subsequently charged and convicted in respect of it, receiving an eight-year prison term.

The present action was brought against Morrisons itself, by some 5,500 of the staff whose data had been disclosed by Skelton, seeking compensation, inter alia for their mental worry and distress. In the U.K., this is a relatively new form of claim — distress damages being for a long time apparently excluded by the U.K. Data Protection Act 1998, and only recognized by the Court of Appeal in its 2015 Vidal-Hall decision. However, the High Court in the present case was not asked to quantify the damages the employees would be entitled to, but simply rule on the anterior question of Morrisons’ liability. In this regard, the claimants argued that such liability arose both directly (so-called primary liability), due to the company’s own breach of the DPA, and vicariously — i.e., secondary liability — based on the wrongful conduct of Skelton.

In the High Court, Mr Justice Langstaff rejected the aspects of the claim based on Morrisons’ alleged primary liability. Thus he found that in terms of the illicit and unjustified disclosure of the data (in breach of the fair and lawful processing principles under the DPA), Skelton, in processing the data for his own purposes, had in fact taken over the role of data controller:

“[47] … Morrisons owed duties under … the DPA only while data controller, and only qua data controller. Skelton became data controller in respect of that information once he put himself in the position of determining the purposes for which and the manner in which the personal data he was about to copy from his laptop was to be handled. When he decided to settle his grudge against Morrisons by means of disclosing it, eventually, on the internet, he was acting just for himself.”

Admittedly, Morrisons was also required to adhere to the principle of data security under the DPA (i.e., to maintain appropriate technical and organization safeguards against data loss and disclosure, including due to unlawful third-party activity, in line with section Article 17 of the parent EU Directive); however, on the evidence, they had taken the relevant precautions, and could not have reasonably anticipated or prevented Skelton’s conduct:

“[95] … the system … critically depends upon the trustworthiness of human agency. [The data security principle] is directed towards systems. The risk of human default remains, despite the understandable concerns of Morrisons to guard against it as best they can. The technological and organizational measures current in 2013 and 2014 at their best could not altogether prevent the risk posed by a rogue employee who was trusted and had given no real reason to doubt his trustworthiness.” 

Nonetheless, as noted earlier, having absolved Morrisons of primary liability, the High Court went on to find them vicariously liable for the criminal and tortious acts of Skelton. Vicarious liability is a longstanding concept in U.K. tort law, which, as Mr Justice Langstaff suggested, embodies a form of “enterprise” liability, based on the idea that, just as an employer takes the benefits from the activities of his employees (in adding value to his business), so too should he take the risks of the employee wrongfully performing his duties and injuring others; at least, this is so when there is a close connection between the wrong and the tasks the employee was assigned to perform.

In this regard, Morrisons found itself in the position of trying to argue that, with specific respect to data protection law, the ordinary rules on vicarious liability should not apply. One of its key arguments was that such strict liability was inconsistent with Section 13 (3) of the DPA, which affords a defense to a party able to show that it was not at fault for the breach; however, the judge was unwilling to accept this, and indeed no similar defense is found in the parent EU Directive. To the contrary, he robustly asserted that: 

“[154] … The DPA must be seen in its full context: that it is the domestic implementation of a European Directive which describes itself in its title as a Directive ‘… on the protection of individuals with regard to the processing of personal data and on the free movement of such data.’ … [I]f, at the moment an employee decides to misuse data to which his employer has given him access the employer ceases to be under any further liability, on the basis that the employee thereafter will be data controller in respect of the misuse, this would tend to defeat the rights of data subjects in respect of that data rather than enhance them as is the apparent purpose of the Directive."

As noted, the case is now proceeding for determination by the Court of Appeal. In the light of the dictum just cited, an interesting side issue is whether the latter may consider the approach taken in other EU member states: Is the imposition of vicarious liability for data breaches seen elsewhere as necessary to further data subject rights? (In Germany, at least, it appears an employer in the position of Morrisons might escape such liability, where tort-based, by relying on the second sentence of § BGB § 831 (1) BGB.) Another intriguing policy conundrum for the U.K. courts, recognized by Mr Justice Langstaff, is that if they allow the action to succeed, they will in a sense be abetting the criminal design (to inflict maximum damage on Morrisons) that motivated Skelton to commit the data breach.

Photo credit: sjiong Royal Courts of Justice, London via Flickr license