Court of appeal confirms Morrison’s liability for rogue employee

There has been much commentary on the recent Court of Appeal decision which confirmed that VM Morrisons Supermarket PLC ('Morrisons') was vicariously liable for a deliberate, and criminal, data breach by an employee.

Summary of case

In case you haven't heard, here is a very brief summary of events which happened back in January 2014. A disgruntled employee of Morrisons, with legitimate access to payroll data, maliciously disclosed information relating to 100,000 Morrisons employees. Andrew Skelton was employed as a Senior IT Auditor for Morrisons, a position of trust which required both discretion and confidentiality. The disclosed information included contact details, gender, date of birth, national insurance number, bank account and salary information. Not only was this information shared openly on a file sharing website but CDs containing the same information were sent to three newspapers, two of which were local to the Morrisons head office in Bradford.

The papers alerted Morrisons, who within a few hours shut down the file sharing website. Skelton was arrested shortly after and subsequently convicted of criminal offences under the Data Protection Act 1998, the Computer Misuse Act 1990 and the Fraud Act 2006 - the latter attracting a custodial sentence. Skelton is currently being detained at Her Majesty's pleasure - having been sentenced to 8 years in July 2015. It was estimated at trial that it cost Morrisons 2 million pounds, including legal fees, to mitigate the effects of the breach.

Fast forward to October 2017 when approximately 5,500 affected employees claimed against Morrisons for losses under the Data Protection Act 1998, the misuse of private information, and an equitable claim for breach of confidence. If their claim failed for direct liability, the group submitted that Morrisons were vicariously liable for the actions of their employee.

And so we arrive back at last week's decision, the Court of Appeal upholding the High Court's finding that Morrisons is vicariously liable for the actions of its former employee. Rogue or not, this is understandably a difficult prospect for employers – a decision based, amongst other things, on the Court of Appeal's view of the likelihood of an employer having the means to compensate the victim and the Court's expectation that the employer will have insured against the liability.

Commentators have been quick to question the fairness of this decision. Skelton harboured a grudge against his employer. He had carried out a calculated and premeditated act, with the objective of causing considerable damage to his employer. Yet despite Morrisons not knowing (or even being in a position where they should have known) of the threat Skelton posed, the court held that there was sufficient connection between Skelton's role within the company and his wrongful conduct. The foundation of the claim was irrelevant: Morrisons was liable. 'Social justice' is the new sheriff in town, and the moral code is tough.

What practical steps can employers take to protect themselves from data risk associated with fallible or sometimes even malicious employees?

We have set out below some suggested practical steps to support with mitigation of data-related risk.

This is fundamental to employing appropriate risk mitigation. It underlines the premise that managing risk is not a one size fits all solution. Ensure you employ the basic risk mitigation steps; identify, analyse, evaluate, treat, monitor. Make sure your data security measures are appropriate and proportionate to the data you process and associated risks that you have identified.

which are promoted and regularly reviewed. Promote data security from ‘the top down’. Embed good security practices into the culture of your organisation. Train and educate your staff.

What works best for your organisation will be dependent on a number of factors including available resource and the outcome of your risk analysis. Consider whether technical solutions such as locking down USB ports/access to removable media should form part of your DLP strategy.

Assess the business and security requirements for each category of data and apply access control principles. Ensure permissions are kept up to date; regularly review your joiners, movers, leavers to ensure access is appropriately controlled.

and consider anonymisation and pseudonymisation. Less is almost always more, and where the identification of the individual is ancillary to the purpose, always seek to anonymise data.

Ensure you have a robust incident reporting process that is available to all colleagues. Nurture a ‘no blame, open reporting’ culture and be sure to learn from near misses and mistakes. Ensure incidents are logged and reported and discussed at board level. Remember that GDPR introduces mandatory self-reporting for incidents that create risk for individuals.

How you respond to an incident is critical to mitigating the damage. Have clear plans in place and ensure all relevant teams understand their role. Appoint a decision maker. Remember that an incident can happen outside of working hours. Consider whether media training is appropriate for your organisation.

This is fundamental to employing appropriate risk mitigation. It underlines the premise that managing risk is not a one size fits all solution. Ensure you employ the basic risk mitigation steps; identify, analyse, evaluate, treat, monitor. Make sure your data security measures are appropriate and proportionate to the data you process and associated risks that you have identified.

which are promoted and regularly reviewed. Promote data security from ‘the top down’. Embed good security practices into the culture of your organisation. Train and educate your staff.

What works best for your organisation will be dependent on a number of factors including available resource and the outcome of your risk analysis. Consider whether technical solutions such as locking down USB ports/access to removable media should form part of your DLP strategy.

Assess the business and security requirements for each category of data and apply access control principles. Ensure permissions are kept up to date; regularly review your joiners, movers, leavers to ensure access is appropriately controlled.

and consider anonymisation and pseudonymisation. Less is almost always more, and where the identification of the individual is ancillary to the purpose, always seek to anonymise data.

Ensure you have a robust incident reporting process that is available to all colleagues. Nurture a ‘no blame, open reporting’ culture and be sure to learn from near misses and mistakes. Ensure incidents are logged and reported and discussed at board level. Remember that GDPR introduces mandatory self-reporting for incidents that create risk for individuals.

How you respond to an incident is critical to mitigating the damage. Have clear plans in place and ensure all relevant teams understand their role. Appoint a decision maker. Remember that an incident can happen outside of working hours. Consider whether media training is appropriate for your organisation.

'Huge Payout Looms for Morrisons'…but does it?

The recent Court of Appeal decision only dealt with the issue of liability. There may still be a long road ahead before the amount of award payable to the group is determinedThere has not yet been any discussion on how much loss or distress the individuals have suffered and the evidence has yet to be presented. Identity theft was clearly a concern, together with the potential for access to individual's bank accounts.

There is however a small glimmer of hope on the horizon. The recent case of Lloyd v Google heard at the High Court in early October serves as a timely reminder that group claimants have no automatic expectation of cash following a data breach. Damage must flow from the contravention of duties alleged against the defending party, and claimants must still show that they suffered loss or harm as a result of the breach. The breach in itself does not create a right to compensation.

The reality is of course that the issue of damages may never get to court. Morrisons, who have probably had their fill of PR from this case may agree a settlement out of court in which case we're unlikely to be any the wiser about the value of the individuals' claims. From an objective onlooker's perspective, that would be a real shame – our money would be on a figure far from the huge payout the headlines currently predict.

Related