With the GDPR now in force, employers could face eye-watering fines if they fail to protect their employees’ data. Katherine Newman and Hans-Christian Mehrens of Faegre Baker Daniels explain how a recent case against Morrisons highlights employers’ responsibilities in preventing malicious data breaches.
In a recent case against Morrisons, the High Court considered whether the retailer was liable for an employee’s malicious disclosure of other employees’ personal data.
This case – Various Claimants v WM Morrisons Supermarket PLC  – is the first data breach group litigation in the UK courts, with 5,518 employees bringing claims relating to misuse of their personal data, including contact details, national insurance numbers and bank details.
General Data Protection Regulation
This case is particularly of note following the introduction of the General Data Protection Regulation (GDPR) on 25 May. Accountability is a key concept under the GDPR and data controllers have to show they have implemented appropriate data protection measures. Being unable to do so may expose businesses to significant fines, with the GDPR raising these to eye-watering levels of up to £20m or 4% of annual global turnover.
The employee involved, Mr Skelton, was a senior internal auditor employed by Morrisons. In 2013, feeling aggrieved about a disciplinary process, he secretly copied a payroll file containing the personal data of some 100,000 employees. He uploaded this file to an online file-sharing website and shared it with three newspapers.
Upon discovering the misuse, Morrisons took immediate steps to protect the affected employees from potential loss. Mr Skelton was sentenced to eight years in prison for offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (DPA 1998).
The affected employees brought claims on the basis that a) Morrisons was directly liable under the DPA 1998 for Mr Skelton’s act of disclosing data; or that b) Morrisons was liable under common law principles of vicarious liability.
The High Court found that Morrisons, although not directly liable, was vicariously liable. Damages for distress were awarded. Permission to appeal has been granted.
The costs judgment handed down on 16 May saw Morrisons ordered to pay only 40% of the claimants’ costs, moving away from the general rule that the successful party is entitled to all of its costs. The claimants’ arguments mainly related to the first basis of direct liability under the DPA 1998, but as this part of the claim was unsuccessful, the court provided a reduced costs order.
When finding Morrisons vicariously liable, the court considered a number of factors, including that Mr Skelton had been given access to the data through his work and that Morrisons had deliberately entrusted him with it: his acts had therefore been “in the course of employment”. This was despite the fact that Mr Skelton intended to harm Morrisons, no financial damage was caused to the employees, and Morrisons had no reason to distrust Mr Skelton or anticipate the breach.
The court decided that there was a seamless and continuing series of events that linked Mr Skelton’s work for Morrisons with the disclosure itself, despite Mr Skelton copying the data in his own time, using his own equipment.
The law recognises that not every human misjudgement can be prevented – having implemented appropriate data protection measures meant that Morrisons avoided any direct liability.”
The court dismissed the direct liability claims both under the DPA 1998 and under the common law remedy of misuse of private information: Morrisons had not breached any of the data principles under the DPA 1998 and its data protection measures were sufficient.
Data protection measures
Although this case shows that businesses ultimately remain responsible for any data they hold and the way in which their employees handle it, it also highlights that the law recognises that not every human misjudgement can be prevented – having implemented appropriate data protection measures meant that Morrisons avoided any direct liability.
To avoid financial liability as a consequence of data leaks, businesses should:
- Scrutinise recruitment decisions on key personnel who will access personal data;
- Restrict access to personal data on a need-to-know basis;
- Train employees on the consequences of data breach, including personal liability and criminal sanctions;
- Implement appropriate data handling and security policies and procedures, including technological safeguards preventing unauthorised access to personal data and monitoring whenever large files are copied;
- Keep records of every data incident;
- Implement incident response and data breach notification plans;
- Review employees’ use of own devices; and
- Consider data breach insurance.
As this case potentially sets precedent for future group litigation, whilst the unpredictable human element is outside of their control, businesses should proactively seek to mitigate the consequences of data leaks to limit financial liability. Any mitigation strategy will need to consider GDPR requirements, with businesses now having to inform the Information Commissioner, and in certain situations the affected data subject, within 72 hours of becoming aware of a data breach.