United Kingdom

Data Protection Class Actions and the Vengeful Employee: Implications of the recent Court of Appeal decision in Morrisons

Imagine a situation where an embittered, disgruntled employee steals personal information which he holds about other employees (name, address, bank details etc.) and decides to put it into the public domain. The disgruntled employee’s sole motivation is revenge against the Company following a perceived slight and his intention to cause maximum financial and reputational damage. His employer has made every reasonable effort to comply with its obligations to keep personal data confidential. Despite this he manages to steal the data and disclose it unlawfully.

Imagine further that having heard of this unauthorised disclosure his co-employees decide to mount a class action against the employer seeking damages for that disclosure. Is the employer responsible for the acts of that employee? It may surprise you that the answer, given by the Court of Appeal in the recent case of Wm Morrisons Supermarkets PLC –v- Various Claimants [2018], is a resounding yes.

The Morrisons Case

The facts of the Morrisons case were as described. The employee, a Mr Andrew Skelton, was a senior auditor at Morrisons. Following discovery of the crime, and a subsequent trial, he received an 8 year jail term. Despite this some 5,500 Morrisons employees then brought a claim for damages against the Company even though they had not suffered any financial loss. The issue was how would the Court approach this?

Put simply, and as a general rule, it is well established law that employers are liable for the acts of their employees which are carried out in the course of their employment, what is known to lawyers as vicarious liability. The main issues in the Morrisons case were therefore, was Morrisons liable directly or vicariously for:-

  1. the criminal actions of its rogue employee in disclosing personal information of co-employees; and
  2. the subsequent distress caused to those employees,

whether in breach of certain Data Protection Act principles, an action for breach of confidence or an action for misuse of private information.

The Judge at the first civil trial found that Morrisions were vicariously liable for the acts of Mr Skelton as there was a sufficient connection between the position in which Mr Skelton was employed (which included handling and disclosing data) and his wrongful acts. This was despite the fact that Mr Skelton had carried out most, if not all, of his nefarious activities at home, on the weekend, using his own computer. The Judge went on, however, to express concern that in finding against Morrisons he might be inadvertently furthering the vengeful aims of its former employee. On this basis he granted leave to appeal to a higher court, the Court of Appeal. That Court unanimously endorsed and upheld the decision of the Judge at first instance. The Court noted the ‘novel’ feature of the case which was that the disgruntled employee had intended to harm Morrisons but nonetheless held, to the surprise of some legal observers, that the company remained liable for its employee’s actions in this instance.

Implications for Business

It is important to note that this claim preceded the new General Data Protection Regulations (the “GDPR”) and so was based on the old law, the Data Protection Act 1998. Arguably the GDPR will make it even easier for employees to hold employers to account in this sort of scenario.

One of the arguments put forward by Morrisons, with which many would have some sympathy, was that the Court’s approach would put an undue burden on businesses like Morrisons particularly bearing in mind the difficulty of securing data, the potential cost of ensuring compliance and the potential exposure of even small companies to large class actions. The Court of Appeal acknowledged that cases like these could lead to potentially “ruinous” awards being made against corporations. Their response was that in dealing with losses caused by dishonest or malicious employees that employers could utilise insurance. As such insurance was “a valid answer to the Doomsday or Armageddon arguments put forward… on behalf of Morrisons”.

The Insurance Implications

This is the first successful UK class action for data breach. Whilst it is arguable whether this is an extension of the law or merely a restating of settled law, what is clear is that it throws up potentially very severe exposures. It is noteworthy that in this case not only were Morrisons left fighting a major class action but the breach also led to significant negative publicity.

So what can be done? It is obviously more important than ever to have robust Data Protection policies and procedures in place. However, as can be seen from the Morrisons decision this may not be enough and it is also important to consider other ways in which your Company can be protected. There are a number of liability insurance lines that may respond to data breach claims for vicarious liability. The most obvious one is cyber but such coverage can also be found in other lines such as professional indemnity insurance (where the claims involve professional services breaches), Public Liability (where third party data is involved) and EL/EPL (employees’ data). Further, where policies contain such cover it is important, where possible, to try to resist attempts to impose sublimits.

This decision is being appealed and we await the Supreme Court’s judgment with interest. In the interim companies will continue to do what they can to protect themselves from the consequences of data breaches such as this.

Should you have any queries arising from this article do not hesitate to speak with the author, Karen Cargill, or your usual Aon contact.