Vicarious Liability for Data Breaches after CA Judgment in Morrisons

October 21, 2018

Large-scale civil litigation is one of the developing
contours of data protection law. The recent judgment in Lloyd v Google [2018] EWHC 2599
(QB)
(on which I commented here)
– a novel representative action based on allegedly unlawful processing
activities – is one illustration. When it comes to group litigation on the back
of a data breach, our best illustration thus far is the ground-breaking group
action against Morrisons.

As readers will recall, the Morrisons data breach was the
result of the deliberate, criminal actions of a disgruntled former employee. He
exploited his legitimate working access to Morrisons’ databases to steal and
post online the personal details of almost 100,000 Morrisons employees. The
data consisted of names, addresses, gender, date of birth, phone numbers (home
or mobile), national insurance numbers, bank sort codes and account numbers,
and salary details. The ICO investigated, but decided that no enforcement
action was appropriate.

Group litigation was, however, commenced, involving some
5,500 affected employees. In a judgment handed down in December 2017 – Various
Claimants v Wm Morrisons Supermarket PLC
[2017] EWHC 3113 –
Langstaff J held that:

  • Morrisons was not directly liable for the breach: it did not
    itself misuse any private information, and – except in one inconsequential
    respect – its data security measures were adequate
  • Morrisons was, however, vicariously liable for the rogue
    employee’s actions.

Morrisons appealed on issue 2 (there was no challenge on
issue 1). The appeal was heard on 9 and 10 October, with judgment following
very swiftly on 22 October. The Court of Appeal (the Master of the Rolls, Bean
LJ and Flaux LJ) has dismissed Morrisons’ appeal, see [2018] EWCA Civ
2339
.

Grounds 1 and 2 of the appeal were addressed together.
Ground 1 was that vicarious liability does not apply to the DPA 1998. Ground 2
was that the DPA 1998 excluded common-law causes of action for misuse of
private information and breach of confidence and/or the imposition of vicarious
liability for breaches of the same.

In outline, Morrisons argued that the DPA 1998 was a
comprehensive code for dealing with data breaches of this kind. The seventh
data protection principle – the duty to have in place appropriate technical and
organisational measures – was tailor-made for the task. So, if you satisfy that
principle, you should not be saddled with vicarious liability for rogue actions
such as this, because you did what was reasonably required to safeguard the
data.

Importantly, the claims were brought at common law as well.
Morrisons did not argue that the DPA 1998 ousted the common-law tort of misuse
of private information. Rather, it argued that, where the DPA 1998 and the
common law came into conflict, the statute should prevail. Vicarious liability
was one such area of conflict.

The Court of Appeal was unpersuaded: ‘We consider it is
clear, however, that whatever the position on the first ground of appeal, the
vicarious liability of an employer for misuse of private information by an
employee and for breach of confidence by an employee has not been excluded by
the DPA’
 (at [48]). The Court rejected the argument that, in enacting the
DPA 1998, the Parliament had intended to exclude common law actions that
conflicted with the analysis under that statute. The ultimate conclusion was
this (at [60]):

‘In conclusion, the concession that the causes of action for
misuse of private information and breach of confidentiality are not excluded by
the DPA in respect of the wrongful processing of data within the ambit of the
DPA, and the complete absence of any provision of the DPA addressing the
situation of an employer where an employee data controller breaches the
requirements of the DPA, lead inevitably to the conclusion that the Judge was
correct to hold that the common law remedy of vicarious liability of the
employer in such circumstances (if the common law requirements are otherwise
satisfied) was not expressly or impliedly excluded by the DPA.’

Morrisons’ third ground of appeal was that the judge below
was wrong to conclude (a) that the wrongful acts of the rogue employee occurred
during the course of his employment by Morrisons, and, accordingly, (b) that
Morrisons was vicariously liable for those wrongful acts. On its analysis of
the relevant case law to the facts of the present case, the Court of Appeal was
unsympathetic to Morrisons’ challenge.

Doesn’t this leave data controllers horribly exposed to the
actions of others? Maybe, said the Court of Appeal – but the solution lies with
being properly insured. See the judgment at [78]:

There have been many instances reported in the media in
recent years of data breaches on a massive scale caused by either corporate
system failures or negligence by individuals acting in the course of their
employment. These might, depending on the facts, lead to a large number of
claims against the relevant company for potentially ruinous amounts. The
solution is to insure against such catastrophes; and employers can likewise
insure against losses caused by dishonest or malicious employees…’

Robin Hopkins is a barrister at 11 KBW: https://www.11kbw.com/.

This article first appeared as a blog post on the Panopticon blog.