Data Breach, Group Actions, and the criminal insider: the Morrisons case


A spectre is haunting data controllers – the spectre of group liability for data breach.

In Vidal-Hall v Google [2015] EWCA Civ 311 the Court of Appeal held that damages claims under section 13 of the Data Protection Act 1998 (DPA) can be brought on the basis of distress alone, without monetary loss.  Since that decision there has much speculation that a major data breach could lead to distress-based claims against the data controller by a large class of individuals.  Even if each individual claim was modest (in the hundreds or low thousands of pounds) the aggregate liability could be substantial.

Cases of this nature may give rise to important questions of public policy.  Often the data controller will themselves be the victim of malicious or criminal conduct, involving a hack by outsiders or a data leak by insiders. In such situations, should the data controller be required to compensate data subjects?  What if the very purpose of the hack or leak was to damage the data controller, so that by imposing civil liability on the controller the Courts would help further that purpose?

The recent decision of the High Court in Various Claimants v Wm Morrisons Supermarket PLC [2017] EWHC 3113 is the first significant case to grapple with these issues post Vidal-Hall.  The case involves a group claim brought by some 5,500 Morrisons’ employees in connection with the criminal misuse of a significant quantity of payroll data by a rogue employee.  In a lengthy judgment handed down on 1st December 2017, Langstaff J found that Morrisons were not directly liable to the claimants in respect of the criminal misuse of the data, whether under the DPA or at common law, but that they were nevertheless vicariously liable.  The trial dealt only with liability: quantum remains to be determined.

11KBW’s Anya Proops QC and Rupert Paines acted for Morrisons.

The facts set out in the judgment are striking.  The employee in question acted as he did because he had a grudge against the company, arising out of a disciplinary matter unconnected to his responsibilities regarding employee data.  He acted in order to damage Morrisons by way of revenge.  Nevertheless, the Court held that his conduct gave rise to liability, even though the Judge accepted that Morrisons were not at fault in respect of the misuse, or certainly not in any way that was causally relevant.

On 12th January 2014 a file containing personal details of almost 100,000 Morrisons employees was posted on a file sharing website.  The data consisted of names, addresses, gender, date of birth, phone numbers (home or mobile), national insurance numbers, bank sort codes and account numbers, and salary details.  On 13th March 2014, a CD containing a copy of the data was sent anonymously to three newspapers.  Morrisons’ senior management were alerted to the disclosure on the same day, and within a few hours they had acted to ensure that the website was taken down.  On 19th March 2014, Andrew Skelton, a Senior IT Auditor employed by Morrisons, was arrested.  He was tried in July 2015, convicted of various offences arising out the data breach (including under the Fraud Act 2006), and sentenced to eight years in prison.

As a Senior IT Auditor, Skeleton was highly IT literate, and his work gave him access to a range of sensitive confidential business information, including employee personal data.  Unusually, and unknown to Morrisons, he also operated a personal sideline whereby he bought a slimming drug wholesale and sold it in smaller quantities on e-Bay.  On occasion, he would post packages using Morrison’s post room:  there was no cost to Morrisons, and no dishonesty was involved.  However, on 20th May 2013 an envelope he had posted in this way came open in the post room.  It contained white powder.  This caused alarm:  the police were called, and the substance was tested.  It was found not to be illegal.  Skelton was suspended and then subjected to a disciplinary hearing.  He was given a formal verbal warning (a low level sanction).

The context for the subsequent data breach was that Morrisons’ external auditor (KPMG) had requested a number of categories of data from Morrisons, on 1st November 2013.  Skelton was given the task of arranging for the transmission of data to KPMG.  As part of the process of assembling the data to meet KPMG’s request, on 14th November another employee – Michael Leighton – extracted pay roll data (held by Morrisons on what was known as the PeopleSoft system), and tried to email it internally to Skelton.  The email bounced back, because of its size.  Leighton then copied the data from his computer on to a USB stick and gave it to Skelton, who downloaded it on to his laptop computer.  At some time between 15th and 21st November Skelton provided KPMG with the pay roll data, together with other data required by KPMG, on a KPMG USB.  Langstaff J inferred from the evidence before him that on 18th November 2013 Skelton also copied the payroll data onto a personal USB at work, and that this was a step in his criminal venture.  He also inferred that Skelton had it in mind from before 14th November to misuse the data.

At Skelton’s subsequent criminal trial, he denied being responsible for the disclosures that took place on 12th January and 13th March 2014.  He was nevertheless convicted on the footing that he had disclosed the data, and in sentencing remarks the Recorder of Bradford (the trial judge) made clear that he considered that Skelton acted as he did because he had a grudge about the disciplinary outcome, and for that reason wished to damage Morrisons.

Almost 100,000 employees were affected by the data breach, of whom 5,518 were Claimants in the group action against Morrisons.  Their claim was based on breach of the DPA, together with a claim for the tort of misuse of private information and for breach of confidence.  The claim was put both on the basis that Morrisons had primary (direct) liability in respect of its own acts and omissions, and on the basis of secondary (vicarious) liability in respect of Skelton’s conduct.

In relation to primary liability, the Claimants alleged that Morrisons failed to comply with data protection principles 1, 2, 3, 5 and 7.  These are referred to in the judgment of Langstaff J (and in this blog post) as “DPP1”, etc.

The precise basis of the claim under DPP1, 2, 3 and 5 is not easy to determine from the judgment.  These principles relate to fair and lawful processing (DPP1), purpose limitation (DPP2), the requirement for personal data to be adequate, relevant and not excessive (DPP3), and the requirement for personal data not to be kept for no longer than necessary (DPP5).  The argument under this head of liability appears to have been that Morrisons were the data controller at all relevant times in relation to the payroll data which Skelton criminally misused and that, as such, they were automatically directly liable for his misuse of the data, applying DPP1 etc.  In effect, this part of the argument involved treating the actions of Skelton in making the data public as being actions done by or on behalf of Morrisons.  Langstaff J rejected this:  he accepted that once Skelton put himself in the position of deciding how the personal data that he was about to copy from his laptop was to be handled, then it was Skelton, not Morrisons, who was the data controller in respect of the relevant processing.  Hence the short answer to this part of the claim was that Morrisons did not, as data controller, themselves offend against the relevant principles.  The acts said to breach those principles were those of a third party data controller (Skelton), not Morrisons.  This part of the analysis therefore rests on the understanding that a data controller is autonomous, self-directing, and independent:  when Skelton embarked on processing the payroll data for his own objectives then he did so as a data controller in his own right, and his actions had nothing to do with Morrisons’ own role as data controller.

The claim of primary liability under DPP7 raised different issues.  DPP7 requires data controllers to take measures to secure an appropriate level of security for the personal data that they process.  It was argued that Morrisons had breached DPP7 in six respects:

  • failing to manage or mentor Skelton so as to prevent a grudge developing;
  • failing to monitor the email quarantine area so as to identify that data was being transferred to Skeleton;
  • failing to identify that Skelton was researching the Onion Router (TOR), using his work computer;
  • failing to deny Skelton access to the data;
  • providing the data to Skelton by a USB stick alleged not to have been encrypted; and
  • failing to ensure that Skelton deleted the payroll data.

An overarching issue was whether Morrisons knew or ought reasonably to have known that Skelton posed a real risk to the security of the payroll data transmitted to him.  Langstaff J held that the answer was no.  Neither the white powder incident, nor Skelton’s apparent contemporaneous reaction to the disciplinary proceedings, should have led Morrisons to refuse him access to the payroll data and instead to use other individuals for transferring the data to KPMG.

Thus there was no basis for alleging that Morrisons ought to have taken further steps by way of monitoring and mentoring.  The fact that Leighton’s email to Skelton bounced back (and was then held in quarantine in the Morrison’s system) should not have alerted Morrisons that Skelton posed a risk to the payroll data:  the issue was simply that the email was too big for the system to cope with.  There was evidence that Skelton had used his work computer to research TOR (i.e. software which can disguise the identity of a computer which has accessed the internet).  It was suggested that Morrisons should have been aware of this:  Langstaff J held that any system of monitoring that would have enabled Morrisons to discover this fact would have been impracticable and disproportionate, would probably have involved an unlawful interference with employee privacy (see Barbulescu v Romania (application 61496/08) [2017] ECHR 754, 5th September 2017), and would in any event have been unlikely to have prevented the data disclosure.  The USB stick used to convey the payroll data to Skelton was encrypted:  there was no breach of DPP7 in using this means of data transfer, and in any event the method of transfer did not cause or contribute to the subsequent data disclosure.

The only respect in which Langstaff J considered that Morrisons fell short of the requirements of DPP7, was in failing to have adequate arrangements for ensuring the deletion of data such as the payroll data briefly stored on Skelton’s computer.  It is not clear exactly in what respect Langstaff J considered that there was a failure or how precisely that failure ought to have been addressed in practice. However, in any event the point is of no practical importance, because the Judge made clear that any failure so far as deletion was concerned neither caused nor contributed to the data disclosure.

On the above basis, Langstaff J rejected all the claims of primary (direct) liability against Morrisons under the DPA.  He also held that there was no primary liability in relation to the tort of misuse of private information, or breach of confidence:  the acts said to give rise to liability on this basis were not done by Morrisons, and nor were they facilitated or authorised by Morrisons.  The only possible basis of liability was secondary, by way of vicarious (no fault) liability.

Langstaff J then considered the question of vicarious liability.  Here, he concluded that Morrisons were vicariously liable for Skelton’s wrongful conduct in disclosing the payroll data.  He stated that this conclusion would be the same whether the basis of Skelton’s own liability was seen as a breach of duty under the DPA, a misuse of private information, or a breach of confidence.  In each case the essential actions constituting a legal wrong by Skelton would be identical.

There are two points to make at the outset about this aspect of the judgment.  One is that there is – at the very least – a considerable tension between the conclusion that Skelton acted as a data controller in his own right when disclosing the data, and the finding that he was nevertheless acting in the course of his employment so as to give rise to vicarious liability.  The second point is that the consequences for data controllers are stark, and potentially severe.  Vicarious liability – without fault – could expose a data controller to potential financial ruin, as a result of an employee’s misconduct.  In this case the data controller was a large commercial organisation; but substantial volumes of personal data might well be handled by very different types of data controller (e.g. charities, NGOs or junior self-employed professionals), which might be unable either to meet this sort of claim or to afford to take out insurance to cover it.  The reasoning that led the Judge to reach his conclusions on this issue therefore merits careful scrutiny.

Morrisons put forward three arguments as to why vicarious liability did not arise.

First, they argued that, having regard to the nature and effect of the statutory scheme, the DPA left no room for the imposition of common law vicarious liability on employers. It impliedly excluded that liability.  The relevant primary wrong was Skelton’s own breach of his duty under the DPA, as data controller in relation to his own unauthorised and criminal use of the data: as the Claimants themselves had (perhaps surprisingly) put it, in relation to this conduct Skelton was “the only data controller in town”.  Applying the approach in Majrowski v Guy’s and St Thomas’s NHS Trust [2005] EWCA Civ 251, the scheme of the DPA excluded the possibility of attaching secondary liability to the primary wrongs committed by Skelton in his own capacity as data controller.  It was conceptually unsound for a person to be treated at one and the same time as an autonomous, self-directing data controller in his own right and as an employee processing data in the course of his employment.  The imposition of secondary liability would otherwise cut across the scheme embodied in DPP7, whereby a data controller was obliged to take proper steps (among other matters) to secure the reliability of their employees. In any event, the imposition of (no fault) vicarious liability could not be reconciled with s. 13(3) DPA, which expressly excludes liability for a data controller which has contravened the DPA in circumstances where it took all reasonable steps to avoid the contravention. The conclusion that the DPA excluded the imposition of common law (no fault) vicarious liability was moreover consistent with public policy, not least because any contrary approach would result in the imposition of disproportionately burdensome and potentially crippling liability on innocent employers who had otherwise fully complied with their own obligations as data controllers..

Secondly, Morrisons argued that it would be constitutionally impermissible and contrary to public policy for the Courts to circumvent this implied legislative choice in the DPA by imposing vicarious liability at common law, whether in the context of a claim for misuse of private information or a claim for breach of confidence.

Thirdly, even if vicarious liability was in principle available, Skelton was not acting in the course of his employment when he criminally disclosed the payroll data.  Reliance was placed in this context on Warren v Henlys [1948] 2 All ER 935 (no secondary liability where a petrol station attendant assaults a customer at the petrol station:  at the point when the assault took place, the customer’s business with the station had ended), which was referred to without disapproval by the Supreme Court in Mohamud v WM Morrisons [2016] UKSC11.   There was no sufficiently close connection between Skelton’s employment as a senior IT auditor and his act of criminal disclosure, for five reasons:

  • He was the relevant and indeed the only data controller in respect of his criminal disclosure of the payroll data.  He  had controlling powers over the data which he disclosed; Morrisons had no such powers.
  • He was not discharging his duties as an employee when he made the disclosure.
  • The disclosure was effected away from the workplace, out of working hours, and using his own personal devices.
  • The disclosure was made entirely at a time of Skelton’s choosing.
  • The disclosure was not intended to benefit his employer, but to inflict serious harm on it.

In this regard Morrisons relied on the decision of the House of Lords in Credit Lyonnais v Export Credit Guarantee Department [2000] AC 486, arguing that the case was authority that all elements of the tortious conduct must have been undertaken in the course of employment.  In this case, even if Skelton’s initial obtaining of data was in the course of his employment, the disclosure clearly was not.

In relation to the first of Morrisons’ three arguments, the Judge concluded that vicarious liability under the DPA was in principle available.  With respect, the reasoning is not always easy to follow.  The Judge emphasises that vicarious liability can be imposed even where a statute does not expressly refer to it:  it appears that Morrisons’ case, however, did not rest on the absence of direct reference to vicarious liability in the DPA, but rather on the inconsistency between the statutory scheme of the DPA and the imposition of vicarious liability.  Nor does the judgment say anything of substance about the arguments made by reference to DPA section 13(3) and DPP7, and their apparent inconsistency with vicarious liability.

The arguments of public policy are described as being in terrorem (always a bad sign:  I wonder if any Judge has ever labelled an argument in this way and then gone on to accept it).  The Judge makes the point that concerns about the imposition of vicarious liability had never previously been expressed in connection with a claim brought under the DPA.  This disregards the point made early in this post, that Vidal-Hall greatly extended the potential for mass data breach claims under the DPA, and has therefore brought the issue of vicarious liability into sharp focus.

Morrisons’ second argument only came into play if their first argument was accepted.  Unsurprisingly, given that the Judge rejected the first argument, there is little discussion of the second argument in his judgment.  The Judge commented that the DPA (and its parent EU Directive) were intended to provide greater protection for data subjects; so it was no surprise if there was scope for additional common law liabilities over and above those imposed by the DPA.

As to the third argument – whether on the facts Skelton acted in the course of his employment – the Judge held that he did, for four main reasons.

  • There was an unbroken thread, and seamless and continuing series of events, linking Skelton’ work with his disclosure of the data.
  • Morrisons deliberately entrusted Skelton with the payroll data.
  • Skeleton’s role in relation to the payroll data was to receive and store it and to disclose it to a third party.
  • When Skelton received the data as an employee, intending to copy it, he was acting as an employee, and the chain of events from that point onwards was unbroken.

The Judge relied on this analysis by way of a seamless and continuing series of events as a basis for distinguishing Credit Lyonnais.

The Judge himself had reservations about his conclusions.  In the final paragraph of his judgment he states that the point that troubled him most was the submission that Skelton’s wrongful acts were deliberately aimed at Morrisons, such that by finding Morrisons vicariously liable the Court could be seen as an accessory in furthering his criminal aims.  Of his own motion, he gave Morrisons permission to appeal his conclusions on vicarious liability.  He did not give permission to the Claimants in relation to primary liability.

Morrisons have since made public statements that they do indeed intend to appeal.  The Court of Appeal’s consideration of the issues discussed above will be eagerly anticipated.  There is certainly room for further exploration and analysis, both as to whether in principle the DPA leaves room for vicarious liability, and as to whether such liability can arise on the facts of this particular case.

The result is that data controllers will remain haunted by the spectre referred to at the start of this post. In an un-Dickensian and unseasonal outcome, the haunting will not be resolved this side of Christmas.  Instead, it will remain troublesome for some considerable time to come.