The Supreme Court has given Morrisons permission to appeal a ruling that found the supermarket liable for a data breach caused by a malicious insider.
Morrisons has lost two cases related to its March 2014 data breach, in which Andrew Skelton, a senior internal auditor at the supermarket’s Bradford office, leaked the payroll data of 99,998 employees. The information comprised names, addresses, gender, dates of birth, phone numbers, National Insurance numbers, bank details and salaries.
Skelton was arrested soon after leaking the data and in July 2015 was sentenced to eight years in prison.
Meanwhile, a class action of 5,518 employees took the supermarket to court, claiming compensation for the “upset and distress” caused by the leak. Morrisons argued that it wasn’t responsible for Skelton’s actions and that it had taken all the necessary precautions to secure employees’ data.
Both the High Court and Court of Appeal agreed that Morrisons defences were appropriate, but still deemed the supermarket ultimately responsible for its employees’ data and therefore vicariously liable for the breach.
Why have the courts found Morrisons liable?
This incident shows how complex liability can be regarding data breaches. Morrisons is both the victim – having been awarded £170,000 in compensation – and liable for the breach, at least for now.
The High Court initially found in favour of the employees, ruling that despite Morrisons’ compliance with the Data Protection Act 1998, it was nevertheless partially responsible for the breach because Skelton had acted in the course of employment, albeit “without authority and criminally”.
The Court of Appeal unanimously upheld the ruling, a decision that many didn’t see coming. However, Richard Cumbley of Linklaters said that the courts’ decision is based on a “well established” principle, because Skelton’s criminal actions were “closely related to what he was tasked to do” in his job.
Dan Cooper, a partner at Covington & Burling, agreed, saying that employers should bear the enterprise risk and assume liability for the actions of their employees, as long as they were performed as part of their job.
Nick McAleenan, a partner at JMW Solicitors, which is representing the claimants in the ongoing case, said:
“While the decision to grant permission for a further appeal is of course disappointing for the claimants, we have every confidence that the right verdict will, once again, be reached – it cannot be right that there should be no legal recourse where employee information is handed in good faith to one of the largest companies in the UK and then leaked on such a large scale.
“This was a very serious data breach which affected [thousands of] Morrisons’ employees – they were obliged to hand over sensitive personal and financial information and had every right to expect it to remain confidential. Instead, they were caused upset and distress by the copying and uploading of the information.”
Does Morrisons stand a chance?
The Supreme Court’s decision to allow Morrisons to appeal the case means it is certainly not an open-and-shut case. It will be a real test of the UK’s interpretation of vicarious liability under data protection law, and it could have significant consequences for the GDPR (General Data Protection Regulation).
The GDPR introduced a provision for data subjects to receive “full and effective compensation for the damage they have suffered” as a result of processing that infringes the Regulation. That obviously won’t come into play here as the leak occurred before the GDPR took effect, but a definitive ruling one way or the other will determine whether we will see more class actions in the future.
The three Court of Appeal judges who denied Morrisons’ earlier claim – Lord Justices Bean and Flaux, and Master of the Rolls Sir Terence Etheron – believe that organisations may turn to cyber security insurance to protect them against vicarious liability. However, as the US food giant Mondelez learned earlier this month, cyber security insurance has its own pitfalls.
Morrisons, and plenty of other organisations, will be hoping it doesn’t come to that, but the cost of tackling data breaches will be expensive either way.
The supermarket spent £2 million responding to the breach back in 2014; as it takes its case to court again, even more is at stake. If the final ruling goes against Morrisons, the supermarket will have to compensate not only those who filed the class action but also every employee whose data was breached.