Morrisons data breach sounds warning on vicarious liability

In a recent case, Morrisons supermarket was found vicariously liable for a malicious data breach carried out by an employee with a grudge against his employer. The case gives a sharp reminder that when it comes to data, protection begins at home. Molly Paatz, a solicitor at Burges Salmon LLP looks at how employers can minimise the risks.

Protecting against the threat of external hackers is top of most board agendas, but are businesses equally switched on to the threats posed by their own employees?

In 2014, Morrisons, the fourth largest supermarket chain in the UK, suffered a serious data breach when the payroll data of nearly 100,000 employees (including names, addresses, dates of birth, national insurance numbers and bank details) were posted online.

The payroll data had been supplied by Morrisons to its external auditor, KPMG. It had been copied from the secure software in which it was held onto an encrypted memory stick by an authorised employee in HR, and then uploaded to the encrypted laptop of a different authorised employee (a senior internal IT auditor). The data was then downloaded onto a further encrypted memory stick provided by KPMG and sent on as planned.

Unbeknown to Morrisons, before the data was deleted from the laptop, the senior IT auditor, Andrew Skelton, copied the data onto a personal USB device. Earlier in the year Skelton had been subject to disciplinary proceedings, which apparently led him to harbour a grudge against the supermarket and set him on a path to cause it significant harm.

He did so by posting the payroll data online on a public file-sharing website, tipping off the press and attempting to implicate an innocent colleague. Once the press made Morrisons aware of the breach, the supermarket acted swiftly to get the website hosting the data taken down. It also liaised promptly with banks and the police.

As a result of his actions, in 2015 Skelton was jailed for eight years after being found guilty at Bradford Crown Court of fraud, securing unauthorised access to computer material and disclosing personal data.

Claim against Morrisons

In Various Claimants v WM Morrisons Supermarket 5,500 of the 100,000 affected employees brought claims against Morrisons in the High Court, alleging breaches of the Data Protection Act 1998 (DPA). Despite its swift action on discovering the breach, Morrisons was, on 1 December, found to be vicariously liable for Skelton's actions and will likely be ordered to pay damages to the employees.

The High Court hearing, sitting in Leeds, found Morrisons was not directly liable for breaches under the DPA. It concluded that, when the data had been copied by Skelton and leaked, Morrisons was not the data controller (Skelton was), so primary liability did not rest with Morrisons.

Although Morrisons did have obligations to take appropriate security measures, the court was satisfied that the system in place was sensible and necessary. Morrisons had limited access to the data as far as it could, had internal checks to see who had accessed the data, and had used an appropriate method of transfer to pass the data to KPMG (with encryptions and authorisation requirements).

There was nothing to suggest that Skelton was harbouring a grudge, posed a security threat or could not be trusted with the data so Morrisons had discharged their primary obligations.

Vicarious liability under the Data Protection Act

However, although Morrisons itself had not caused the data breach, the court was prepared to hold Morrisons vicariously liable for the unlawful acts of Skelton.

It is well established that employers can be liable for the wrongful act of an employee if it is carried out in the course of an employee's employment. But deciding on this is not always straightforward.

The judge considered first what Skelton's job actually was. It was important to the eventual decision that handling the data was a key part of his role, and he had been expressly authorised to handle the data in question on this occasion.

The court then considered whether there was sufficient connection between Skelton's job and his wrongful conduct so that it was "right" for Morrisons to be held liable. The court found there was a sufficient connection even though the data was disclosed:

  • from a personal computer
  • outside of work time
  • several months after the data was copied
  • deliberately in order to harm Morrisons

Skelton was entrusted with the data by Morrisons, and on the facts there was an unbroken chain of events leading to the unlawful disclosure. The court considered Skelton's wrongful acts were therefore sufficiently connected to his employment for Morrisons to be vicariously liable.

Steps employers should take

This case is a difficult one for employers because, on the face of it, there is little Morrisons could have done differently to have prevented what happened in light of what Skelton was employed to do.

The courts are willing to find employers vicariously liable for extreme acts perpetuated by employees (including arson, assault, theft and battery). For example, in another recent case involving Morrisons, the retailer was found liable for an unprovoked violent attack on a customer carried out by a petrol station employee.

This shows the difficulties faced by employers because the courts are influenced, to a degree, by where it is "just" for liability to lie (which will often be with the employer, who usually has the deeper pockets).

With the EU Gender Data Protection Regulation (GDPR) fast approaching, employers need to be more mindful than ever about the security measures they have in place to protect personal data. With this in mind, what can organisations do to minimise the risks?

  • Stress-testing data protection security system is essential; were it not for Morrisons' robust security measures it would probably have faced primary liability as well.
  • Organisations are increasingly aware of the risk of external hacks to their systems but the risk of an inside job could be even higher. They should consider what systems they have in place to control access and use of personal data by employees. Has the number of people who can access sensitive data been limited, and has it been considered who those people should be? Can the organisation readily identify who has accessed or copied data from its systems? It should be considered how USB sticks are used and these must be encrypted where they contain confidential or personal data.
  • Breaches can happen accidentally as well as maliciously. Employees should be sufficiently trained in data security and reminded of basic data protection measures regularly.
  • Organisations should be prepared for crisis situations. They should ask what procedures are in place to deal with accidental loss of data, (for example a briefcase left on a train) or theft. Do employees know who to contact with concerns, and is someone in place to deal with issues? Quick action can make a big difference, especially in limiting reputational damage.
  • Organisations may be revamping data protection policies in light of the GDPR. This is an opportunity for a detailed review and an examination of the detail of the standards of care and conduct expected from employees.

Point to watch

The court was concerned that because Skelton's clear criminal aim was to harm Morrisons, in holding Morrisons vicariously liable the court could be an accessory in furthering this criminal aim. Morrisons have, therefore, been granted leave to appeal so this point may be looked at again.

Molly Paatz is a solicitor at Burges Salmon LLP