Meera Manoj, Gujarat National Law University, India
The case of Various Claimants v Wm Morrisons Supermarket PLC (“Morrisons”) decided by the High Court on 12 December 2017[1] is significant for several reasons. In addition to being the first data breach class-action in the United Kingdom, it crucially imposes vicarious liability on Morrison’s Supermarket PLC for the criminal actions of its rogue employee despite the company having taken all reasonable precautions to guard against any data breach.[2] The High Court however granted Morrisons leave to appeal to avoid rendering itself ‘an accessory in furthering the perpetrator’s criminal aims’.[3]
This blog post analyses the reasoning of the High Court in Morrisons’ in relation to its finding on the issue of vicarious liability. It then concludes with some considerations regarding the company’s appeal of 9 October 2018, which seems bound to finally shed some light on the scope of companies’ liability in relation to the handling of personal data.[4]
FACTS
The case in Morrisons regards a massive data breach. Names, addresses, gender, dates of birth, phone numbers, national insurance numbers, bank sort codes, bank account numbers and salaries of 99,998 Morrisons’ employees were published on several websites.[5]
The leak was traced to Mr. Andrew Skelton, a Senior IT Auditor in Morrisons’ employment who was disgruntled due to a prior disciplinary action taken against him by the company. Mr Skelton was subsequently convicted to a term of 8 years imprisonment for fraud under the Computer Misuse Act 1990 and the Data Protection Act 1998.[6]
ISSUES
The main issue before the High Court was the existence and nature of the liability for the data breach upon the Mr Skelton’s employer, Morrisons PLC. Specifically, the Court assed the question of whether the company could be held primarily or vicariously liable for the criminal actions of its employee under the Data Protection Act 1998.
- Primary Liability
The High Court held that Morrisons could not be primary liable for the unauthorized breach of Mr Skelton as it was not the “data controller’ at the time.[7] The UK Court also found that the company had taken all reasonable security precautions in areas that could have otherwise directly given rise to the breach.
This point was decided conclusively without any leave for appeal.[8]
- Vicarious Liability
The UK High Court found that Morrisons was liable for the unauthorized acts of Mr. Skelton through vicarious liability – that is, the common law doctrine under which someone may be held responsible for the actions or omissions of someone else.[9]
The UK Court arrived to this conclusion on the basis of the reasoning that the actions taken by Mr. Skelton fell well within the “course of his employment” as they constituted an unbroken sequence of events. According to the Court, Mr Skelton had indeed been specifically provided with the payroll data and had been appointed on the basis that he could be trusted with such confidential information. Morrisons had thus taken the risk of being held liable when it entrusted him with such responsibilities.[10]
The UK Court also held that the indicative criterion to determine vicarious liability, of whether the employee’s action benefited the employer, was not conclusive.[11] To this end, it relied on the case of Mohamud v WM Morrison Supermarkets plc (“Mohamud”) to reiterate that the employee’s motive is irrelevant.[12]
ANALYSIS
The decision in Morrisons is consistent with the general trend of UK Courts of favoring innocent victims (the emplyees whose data protection rights were breached) over the innocent company to ensure that they receive compensation. However, this policy position of the Court has a number of pitfalls and appears not to be fully coherent with the decision to grant partial leave for appeal.
To begin with, it seems almost ironic that the Court did not attribute any weight to Mr. Skelton’s motives. This reasoning creates the paradoxical situation that an employer may be held liable for acts aimed precisely at damaging it. The Court itself recognized the paradox created by its approach. It acknowledged that by imposing damages on the company though vicarious liability, it could well become a “witting instrument of the criminal” – supporting Mr Skelton to achieve his goal of harming the company. This unsettling concern persuaded the Court to grant leave for appeal.[13]
Secondly, the Court’s reliance on the judgement in Mohamud to state that the employee’s motive is irrelevant is at the odds with its final decision to allow room for appeal, which was instead not granted in the previous case. It is true that Mohamud is partially different, as the employee acted out of spite and resentment towards third parties – customers to whom the employee directed racist comments – and not towards the company itself. Thus, imposing damages on the company did not further the employee’s aim.[14] It is also true that – as in Mohamud – the Court correctly identifies the purpose of vicarious liability to equitably distribute losses on the basis of the Deep Pocket Theory rather than to identify wrong-doing.[15] However, it does not seem equitable to impose a greater burden on an innocent company that has already been targeted and financially impacted by the acts of its employees.
On this point, the Court seems to attempt to ease its conscience in imposing such a cost on the company by stating that it could reasonably be expected to be insured the amount of damages.[16] This approach seems however almost utopian, as reimbursements depend on how insurance companies choose to word their policies based on the final holding.
The Court’s decision in Morrisons, if upheld, seems thus destined to impose a heavy burden on companies, exposing them to class actions regardless of the significant resources spent on complying with data protection norms. It also creates an incentive to shift to mechanical processes, as machine-based steps would drastically reduce, if not eliminate, the need for trustworthy employees. This approach further promotes an atmosphere of distrust on the workplace, promoting dismissals and greater surveillance.
The introduction of the European Union General Data Protection Regulation (“GDPR”),[17] may further complicate matters as it imposes far more onerous data protection obligations on companies. Indeed, as also stated in Morrisons, in the absence of an express exclusion, common law principles and equity concepts such as vicarious liability still apply on top of the additional burdens imposed on companies by statute.[18] Such exclusion does not appear under the GDPR, which also imposes obligations on data processors,[19] exposing companies to more significant financial burdens and sanctions in case of incompliance.
Conclusions
It remains to be seen whether the findings of the High Court will be reversed on appeal.
Morrisions’ main argument is that the decision of the High Court unreasonably constitutes an accessory to a crime, furthering the employee’s plan to damage the company.[20] Where this line of argument was successful, this would create an exception to the principle that companies are vicariously liable for criminal acts by their employees despite taking appropriate security measures when the criminal employee’s motivation is to harm the company.
Although more equitable, this conclusion would however set an uneasy trend for victims in vicarious liability cases who, although suffering the same injury, would have a right to a different redress simply because of the motive of the perpetrator.
It remains now for the UK Court of Appeal to strike a tricky balance between promoting social justice while not unfairly burdening corporations.
[1] Various Claimants v Wm Morrisons Supermarket PLC [2017] EWHC 3113 (QB)
[2] Various Claimants v Wm Morrisons Supermarket PLC [2017] EWHC 3113 (QB) [196] [197]
[3] Various Claimants v Wm Morrisons Supermarket PLC [2017] EWHC 3113 (QB) [198]
[4] ‘Morrisons appealing over staff data leak compensation’ BBC News (London, 9 October 2018) 2 available at < https://www.bbc.com/news/uk-45793598> last accessed 14 October 2018
[5] Various Claimants v Wm Morrisons Supermarket PLC [2017] EWHC 3113 (QB) [2]
[6] Various Claimants v Wm Morrisons Supermarket PLC [2017] EWHC 3113 (QB) [8]
[7] Various Claimants v Wm Morrisons Supermarket PLC [2017] EWHC 3113 (QB) [64], [65]
[8] Various Claimants v Wm Morrisons Supermarket PLC [2017] EWHC 3113 (QB) [198]
[9] Various Claimants v Wm Morrisons Supermarket PLC [2017] EWHC 3113 (QB) [49]
[10] Various Claimants v Wm Morrisons Supermarket PLC [2017] EWHC 3113 (QB) [184]
[11] Various Claimants v Wm Morrisons Supermarket PLC [2017] EWHC 3113 (QB) [135], [137]
[12] Mohamud v WM Morrison Supermarkets plc [2016] UKSC 11
[13] Various Claimants v Wm Morrisons Supermarket PLC [2017] EWHC 3113 (QB) [198]
[14] Mohamud v WM Morrison Supermarkets plc [2016] UKSC 11
[15] Giliker, P. (2016). Vicarious liability in the UK Supreme Court. In UK Supreme Court Yearbook (Vol. 7, pp. 152-166). Appellate Press Ltd., available at <https://research-information.bristol.ac.uk/files/102062403/Professor_Paula_Giliker_Vicarious_Liability_in_the_UK_Supreme_Court_2016_7_The_UK_Supreme_Court_Yearbook_152.pdf> last accessed 12 October 2018
[16] Various Claimants v Wm Morrisons Supermarket PLC [2017] EWHC 3113 (QB) [158]
[17] Council Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (EU General data Protection Regulation) [2016] OJ L 119
[18] Various Claimants v Wm Morrisons Supermarket PLC [2017] EWHC 3113 (QB) [159]
[19] Council Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (EU General data Protection Regulation) [2016] OJ L 119
[20] Rob Moss, ‘Morrisons payroll data breach reaches Court of Appeal’ Personnel Today (London, 9 October 2018) 2 available at <https://www.personneltoday.com/hr/morrisons-payroll-data-breach-reaches-court-of-appeal/> last accessed 13 October 2018