Morrisons' liability ruling doesn't let companies off the hook for data breaches

A landmark UK ruling freed Wm Morrison Supermarkets from indirect liability for a rogue employee's data leak — but still leaves the door open for future litigation targeting companies over accidental data disclosures by employees.

To protect themselves, businesses at the very least will need to demonstrate solid internal procedures and training practices as well as limit the amount of information they hold and control who has access.

Morrisons, a major British supermarket chain, won its legal battle over a class action involving thousands of employees at the UK's top court on the specific facts of the case.

The Supreme Court said disclosure online of payroll data by disgruntled employee Andrew Skelton didn't form part of his role at Morrisons; that the act wasn't authorized; that a temporal link between the disclosure and the purpose of entrusting Skelton the data wasn't sufficient; and that Skelton's motive was to harm Morrisons in an act of personal vendetta.

But companies need to be clear that only under these kinds of tight circumstances can they escape indirect or "vicarious" liability for the acts of an employee in relation to a breach of data-protection legislation.

The full Supreme Court judgment made it clear that companies could still be held vicariously liable where it's not a case of a rogue employee, and the act was carried out within their "field of activity."

Judges said that the UK's previous data-protection regime from 1998 — under which the Morrisons case was heard — doesn't exclude the application of vicarious liability to a breach of that law. The same would apply to the country's updated data-protection law, a direct application of the EU's General Data Protection Regulation, in force since May 2018.

That leaves companies exposed to litigation in respect to many other scenarios of data mishandling by company staff — such as through human error and negligence.

Just as a starting point, companies must meet their data-protection law obligations to keep personal data secure through appropriate training, technical and monitoring measures, policies and procedures. Even then, should they be found to have breached the law as a result of the actions of an employee not authorized to access data, they could be held directly liable for that employee's actions — which wasn't the circumstance in the Morrisons case.

Claims

The judgment isn't likely to open the floodgates, given that claimants will be limited in the type of situations they can attack, but it certainly leaves the door open for employees who have suffered harm as a result of a data breach.

While claimants are generally likely to target larger businesses with deep pockets, smaller companies handling quantities of personal data shouldn't feel they are out of danger. They, too, might be exposed to angry employees seeking compensation for the misuse of their data within the company.

While disappointed at the ruling, the claimants in the Morrisons case voiced optimism today at its acknowledgment of the application of vicarious liability for data breaches, suggesting future cases will occur.

"This is very significant because most data breaches are caused by human error. This ruling enhances the protection of data for millions of people in this country who are obliged to hand over their own information to businesses every single day. It will raise standards," the claimants' lawyers said in a statement.

Some privacy lawyers argue that more high-profile future claims could be filed as a representative action in the wake of a UK ruling last year allowing the "Safari Workaround" class-action suit against Google in that form.

Representative actions — where there the individual class members don’t need to be identified or to authorize the claim — focus on the "lowest common denominator," where each person can claim a share of any damages won. That's because the representative action isn't based on the facts of how the individuals were affected by the infringement.

Morrisons' case was brought under the more popular class-action mechanism of a “group litigation order,” where claimants must personally "opt in" to the proceedings.

"If you have an individual who does something accidentally or negligently, then a representative action could potentially be brought against the employer on the basis of vicarious liability for the acts of that employee, on the theory that each of the individuals affected has lost control of their data," Louise Freeman, a partner at Covington & Burling, told MLex today. This would mean potentially greater liability than individual group claims, she said.

Business practices

So the only realistic thing companies could do to fend off the risk of breaches and litigation is to keep the personal data they hold minimal, protected and well organized, and to ensure rigid internal policies and procedures to keep data safe.

Businesses would be sensible to review and minimize who has access to large amounts of personal information, as well as to boost their vetting, monitoring and governance processes, to ensure only the right people have the right access.

Some companies may need to examine if they have any old data they don't need: The less they keep, the smaller the risk. Others might invest in more stringent measures to identify and prevent insider threats to compromise data. Such an exercise wouldn't be easy, particularly any intrusive measures that could violate employees' privacy rights, creating a double-edged sword for businesses.

Insurance

Another avenue, or an extra one, would be for employers to consider obtaining appropriate insurance for negligent or accidental loss of data by employees.

Insurers have been watching the Morrisons case keenly. When the Court of Appeal dismissed the supermarket's arguments in 2018, judges said companies could seek to insure against similar data-leak "catastrophes."

That set insurers' nerves on edge in anticipation of the broad potential risk profile — and that would have likely led to dramatically increased premiums for employers’ liability insurance.

Today's ruling will thus settle those fears, suggested Adam Rose, a partner at law firm Mishcon de Reya. "With this judgment, employers, and the insurance sector (which might have been asked to cover a lot of the risk), can breathe a sigh of relief that they will not be vulnerable to expensive claims arising from the unauthorized actions of rogue employees," he told MLex.

For companies handling data, however, any sigh of relief will need to be supplemented by diligence in making sure their data-handling is squeaky clean.