Supreme Court rules Morrisons not liable for data breach caused by rogue insider

Courts rule in Morrisons favour after a disgruntled insider leaked information, setting a precedent around insider threats and data breaches but also leaving questions unanswered.

gavel court ruling

The Supreme Court has ruled that Morrisons supermarket is not liable for the actions of a rogue employee whose malicious actions caused a data breach. The case, WM Morrisons Supermarket PLC v Various Claimants, was the first in the UK to test whether companies could be vicariously liable for cybersecurity incidents caused by the actions of employees and therefore need to pay compensation to victims, and could have had costly ramifications for both the retailer and companies across the UK.

Malicious insider leaks Morrisons’ employee data

As CSO has previously reported, the case revolves around an incident that occurred in 2014. After being given a verbal warning for a separate infraction of company policy, Andrew Skelton, an IT auditor contracted by the supermarket at the time to transfer HR data to KPMG, copied the data of 99,998 Morrison employees – including names, bank account details, salaries, and national insurance details – onto a USB stick. He took it home and then posted the data to a file-sharing site. After the leak was discovered, Skelton was jailed in 2015 for eight years for offences under the Computer Misuse Act 1990 and the Data Protection Act 1998.

However, despite the ICO not taking action against the retailer, thousands of Morrisons employees brought proceedings forward seeking compensation for the “upset and distress” caused as a result of their personal data being leaked.

Though Morrisons wasn’t found primarily liable under the Data Protection Act due to the fact it had “adequate and appropriate controls” to protect its data and could not have prevented the misuse of data in this instance, the retailer was found to be vicariously liable – the idea that an employer could be held responsible for the actions of the employee – for Skelton’s actions.

While cases of vicarious liability might traditionally be centered around incidents of employees harassing other employees or customers, WM Morrisons Supermarket PLC v Various Claimants was testing whether the supermarket can be found liable for data breaches caused by insider threats – and ergo liable to pay compensation to affected victims – something that hasn’t been considered in UK law before.

Morrisons not liable for a rogue employee

Courts originally judged in the favour of the claimants, but on April 1, 2020, the Supreme Court ruled in Morrisons favour, ruling that Skelton’s actions were not closely connected enough to his job for vicarious liability to be established and bringing the case to its final conclusion.

 “In the present case, Skelton was not engaged in furthering Morrisons’ business when he committed the wrongdoing in question,” Lord Reed said in a live-stream video explaining the decision. “On the contrary, he was pursuing a personal vendetta, seeking revenge for the disciplinary proceedings a month earlier. In these circumstances, applying the established approach to cases of this kind, his employer is not vicariously liable.”

“The theft of data happened because a single employee with legitimate authority to hold the data also held a secret and wholly unreasonable grudge against Morrisons and wanted to hurt the company and our colleagues,” Morrisons said in a statement following the ruling.

The decision means that the 9,000 employees whose details were published online and were part of the group litigation against the supermarket would not be able entitled to any compensation.

“Had they lost the appeal, then the class would have been permitted to proceed with their action against Morrisons,” says Adelaide Lopez, solicitor in the Litigation group at Wiggin LLP. “Given the number of members of the class, it is likely that the damages would have been considerable. This would have set a dangerous precedent, exposing other companies to similar class actions, possibly a limitation on insurance protection, and resulting in considerable commercial loss.”

Following the ruling, according to a post by DLA Piper, the correct interpretation of the “close connection” test is that employers can only be vicariously liable for the wrongful acts of employees if their conduct is closely connected with the day-to-day activity they are authorised to do and is regarded as part of the ordinary course of their employment. DLA also said the fact that an individual’s employment gives him or her the opportunity to commit the wrongful act is not sufficient to warrant the imposition of vicarious liability. While the reason for committing wrongdoing is not important, whether an employee is acting on their employer’s instructions or for their own personal reasons is.

Ashley Hurst, international head of tech, media and comms at Osborne Clarke, says the ruling is a “great result” for employers. “The Supreme Court found that both the High Court and the Court of Appeal had misunderstood existing Supreme Court authority, particularly by finding that the employee’s motive in posting payroll data on the internet was not relevant to the question of whether Morrisons should be held liable for this unlawful act,” he says. “In applying the correct test, the Supreme Court found that although the employee had been given the task of collating and transmitting payroll data to external auditors, by taking his own copy of the data and posting it on the internet, the employee was pursuing a personal vendetta against Morrisons and that such actions could not fairly and properly be regarded as done in the course of his employment.”

Data breach liability involving insiders going forward

The result could have had a wider effect on businesses that suffer similar vicarious liability incidents. Richard Hayllar, partner at UK law firm TLT says that the decision will be welcomed by all large employers who will be “breathing a sigh of relief”  that they won’t be held accountable for the deliberate or malicious acts of rogue employees.

“The success of Morrisons’ Supreme Court challenge in overturning the judgment of the Court of Appeal indicates a sensible and balanced approach to vicarious liability for employers. Most large businesses already have stringent policies, procedures and training in place to prevent the misuse of data, but if the previous judgments had been upheld this would have set an exceptionally high bar for employers to meet.”

If the Supreme court had ruled against Morrisons, not only would the retailer have been facing a large compensation bill, but the decision could have set a precedent that UK companies were responsible for actions of rogue employees that resulted in data breaches no matter how tangential their day to day involvement with sensitive information.

However, in its blog, DLA also acknowledged that this ruling does not “create a blanket exclusion of no-fault vicarious liability” going forward, and companies shouldn’t assume that they absolved of any and all breaches resulting from malicious insider actions.

“Lord Reed is quite clear in his judgment that, although vicarious liability did not arise on the facts in this particular case, data protection legislation does not wholly exclude the possibility of vicarious liability for an employee’s deliberate data breach,” says Emma Erskine-Fox, associate in the tech and IP team at TLT. “The door has therefore been left open for claimants to pursue vicarious liability claims for employee data breaches, even those committed deliberately with malicious intent, if the facts of the case indicate that the breach was committed in the course of employment.”

Additionally, while the ruling might provide greater clarity for incidents that happened under the Data Protection Act 1998, it still leaves potential questions for organisations that suffer similar incidents after May 2018 under the jurisdiction of the GDPR and Data Protection Act 2018, both of which came into force after the Morrisons incident.

“What is interesting is that neither the Data Protection Act 2018 or the GDPR address the issue of vicarious liability,” says Laurence Winston, partner and data protection expert at Crowell & Moring. “It therefore remains an issue as to whether the Court would make a similar finding regarding vicarious liability under the DPA 2018 and/or the GDPR for an employee who was a data controller. From the Morrisons case, I consider it likely that the Court would adopt a similar approach but that remains untested.”

No excuse to be lax on security controls

Another key point organizations should still be aware that this case came about because Morrisons was previously found to have appropriate controls in place around its data, without which it would have been found liable for the breach under the Data Protection Act 1998 without going into the issue of vicarious liability. This case does not absolve companies of the need for proper data protection technologies or processes around their sensitive information, nor protect them from other fines or punishments if incidents do occur.

"Businesses should ensure that their contractors hold their own insurance and that their contracts contain provisions placing liability for wrongdoings fully on the contractor," advises Fiona Kingscott, Solicitor at Langleys Solicitors. "These are, however, not failsafe safeguards, and businesses ultimately need to be alive to the risk that employees and contractors may break the law, whilst engaged in their duties, and the business can be held liable."

Overall, the decision should send a reassuring message to UK businesses, according to Martin Noble, commercial partner at law firm Shakespeare Martineau. “Personal data should be treated with the utmost care, but businesses don’t have to go to the ends of the earth as there will always be some rogue employees who can find loopholes. In a litigious society, this will provide some comfort to those who do their best to implement data privacy policies and procedures, but still worry about being held vicariously liable in the event of a breach.”

“Employers and/or data controllers can still be liable, if personal data is not properly looked after. This case was quite specific in that it wasn’t in the ordinary course of business and the data controller went off on his own with a personal vendetta against Morrisons.”

Copyright © 2020 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)