Morrisons' data-leak suit could prompt companies to improve oversight processes

UK businesses have begun a nervous wait for a final verdict in the data-breach court battle that has pitted Wm Morrison Supermarkets against an army of its employees — and that threatens far-reaching implications for any organizations handling quantities of personal data.

What the UK’s highest court decides in coming months will be a marker for how they prepare for and mitigate against the risks of personal data under their control being compromised and whether they have to rewrite the manual on their oversight processes.

Lawyers for more than 9,000 Morrisons staff argued at the Supreme Court last week that the grocer must be held liable for the actions of a rogue employee who leaked confidential payroll data with which he had been entrusted.

Two lower courts have already said that Morrisons has “vicarious liability” for the disgruntled employee’s action. If the Supreme Court judges agree, the supermarket could be exposed to payouts of tens of millions of pounds.

More importantly, though, success for the claimants could open other companies to the risk of liability for the deeds of employees, even when their aim is to damage their employer. It would also embolden workers to mount group litigation actions against employers on the basis that the loss of their personal data caused them distress.

In its defense last week, Morrisons argued that the outcome would reach far beyond business to encompass charities, government agencies and even self-employed people.

Implications

In last week’s hearings, the Supreme Court heard fresh arguments on both sides in Morrisons’ fight against a collective compensation claim that stems from a major security breach in 2014, when senior internal auditor Andrew Skelton published online the payroll information — including names and bank account details — of almost 100,000 employees.

In 2015, Skelton was jailed for eight years for fraud and disclosing personal data, but the incident sparked the first-ever collective claim for compensation over a data leak in the UK, which has now drawn in more than 9,000 claimants. Its outcome could trigger a wave of similar court challenges against other companies.

Morrisons' case is certainly not isolated, and such data leaks will only increase in coming years. Just last week, it emerged that London-based cybersecurity company Trend Micro suffered a similar fate: an employee sold information from the company’s customer-support database, including names and phone numbers of 70,000 people, to a third party.

The two lower-court verdicts in the cases — by the High Court in 2017 and the Court of Appeal in 2018 — spotlighted the risks for companies, and these have been thrown into sharp relief after Morrisons appeared unable to deliver a clearly compelling argument in front of the Supreme Court last week, suggesting that judges there might follow the same logic.

If it does lose, and its secondary liability is established, that could push companies to place greater restrictions on employees’ access to bulk data, for example through advanced software blocks on sensitive data being copied, intentionally or unintentionally, by staff members authorized to access that information.

Businesses would also need boost their vetting and monitoring processes, as well as governance, to ensure only the right people have the right access.

Others might invest in more stringent measures to identify and prevent insider threats to compromise data. Such an exercise promises to be tricky, particularly any intrusive measures that could violate employees' privacy rights, creating a double-edged sword for businesses.

All of this will add to existing obligations and expensive processes to keep data safe from security breaches.

Alternatively, employers will need to consider obtaining appropriate insurance. Many, however, would see this as an unsatisfactory answer, since everyone’s premiums would go up.

As a way out, companies might decide to pass on the costs of the risk of being held vicariously liable for their employees to customers, or donors in case of charities — an argument advanced by Morrisons last week.

At the same time, a lack of regulatory clarity could result in companies overreacting and taking extreme measures to manage risk, prompting calls for a need for new laws that provide clarity.

In particular, pressure may emerge for regulatory changes to clarify the interplay between data-protection rules and common-law misuse of private information and breach of confidence.

Legal regime

The claimants’ likelihood of success will hinge in large part on a central question: Does the UK’s 1998 data-protection legislation exclude the possibility of a company being saddled with vicarious liability for an employee’s violations under common law?

The dispute is over whether UK lawmakers, when passing the legislation two decades ago, had intended such an exclusion. Judges have so far concluded that the legislation says nothing about secondary liability for wrongful processing by the data controller.

While the case is being heard under the provisions of the 1998 law, it will influence future cases judged under the current Data Protection Act 2018, which implemented the EU’s General Data Protection Regulation. Morrisons argued during last week’s hearing that the 2018 UK rules were “substantially identical” to the previous regime.

Morrisons argues that legislation does consider “thought-based liability,” where the employer has an obligation to take "reasonable steps to ensure the reliability of any employees of his who have access to the personal data" — something it has been shown to have done.

Morrisons argued that Parliament had addressed the need for balance between competing interests of data subjects, the public in the free flow of data, and employers in that they shouldn't be held responsible where they didn't do anything wrong.

The test, Morrisons said, is that if vicarious liability under common law and statutory law cover the same ground — in this case, privacy — and if they are inconsistent with each other, then the common law remedy wouldn't apply.

It is an argument the supermarket mounted in its earlier court hearings; its last hope may now rest on far the Supreme Court judges agree.