Vicarious liability for data breaches: Court of Appeal dismisses Morrisons’ challenge

Large-scale civil litigation is one of the developing contours of data protection law. Last week’s judgment in Lloyd v Google – a novel representative action based on allegedly unlawful processing activities – is one illustration. When it comes to group litigation on the back of a data breach, our best illustration thus far is the groundbreaking group action against Morrisons.

As Panopticon readers will recall, the Morrisons data breach was the result of the deliberate, criminal actions of a disgruntled former employee. He exploited his legitimate working access to Morrisons’ databases to steal and post online the personal details of almost 100,000 Morrisons employees. The data consisted of names, addresses, gender, date of birth, phone numbers (home or mobile), national insurance numbers, bank sort codes and account numbers, and salary details. The ICO investigated, but decided that no enforcement action was appropriate.

Group litigation was, however, commenced, involving some 5,500 affected employees. In a judgment handed down in December 2017 – Various Claimants v Wm Morrisons Supermarket PLC [2017] EWHC 3113 – Langstaff J held that:

  • Morrisons was not directly liable for the breach: it did not itself misuse any private information, and – except in one inconsequential respect – its data security measures were adequate.
  • Morrisons was, however, vicariously liable for the rogue employee’s actions.

Morrisons appealed on issue 2 (there was no challenge on issue 1). The appeal was heard on 9 and 10 October, with judgment following very swiftly this afternoon. The Court of Appeal (the Master of the Rolls, Bean LJ and Flaux LJ) has dismissed Morrisons’ appeal: Morrisons CoA judgment.

Grounds 1 and 2 were addressed together. Ground 1 was that vicarious liability does not apply to the DPA 1998. Ground 2 was that the DPA 1998 excluded common law causes of action for misuse of private information and breach of confidence and/or the imposition of vicarious liability for breaches of the same.

In outline, Morrisons argued that the DPA 1998 was a comprehensive code for dealing with data breaches of this kind. The seventh data protection principle – the duty to have in place appropriate technical and organisational measures – was tailor-made for the task. So, if you satisfy that principle, you should not be saddled with vicarious liability for rogue actions such as this, because you did what was reasonably required to safeguard the data.

Importantly, the claims were brought at common law as well. Morrisons did not argue that the DPA 1998 ousted the common law tort of misuse of private information. Rather, it argued that where the DPA 1998 and the common law came into conflict, the statute should prevail. Vicarious liability was one such area of conflict.

The Court of Appeal was unpersuaded: “We consider it is clear, however, that whatever the position on the first ground of appeal, the vicarious liability of an employer for misuse of private information by an employee and for breach of confidence by an employee has not been excluded by the DPA” (paragraph 48). The Court rejected the argument that, in enacting the DPA 1998, the Parliament had intended to exclude common law actions that conflicted with the analysis under that statute. The ultimate conclusion was this (at paragraph 60):

“In conclusion, the concession that the causes of action for misuse of private information and breach of confidentiality are not excluded by the DPA in respect of the wrongful  processing of data within the ambit of the DPA, and the complete absence of any provision of the DPA addressing the situation of an employer where an employee data controller breaches the requirements of the DPA, lead inevitably to the conclusion that the Judge was correct to hold that the common law remedy of vicarious liability of the employer in such circumstances (if the common law requirements are otherwise satisfied) was not expressly or impliedly excluded by the DPA.”

Morrisons’ third ground of appeal was that the Judge below was wrong to conclude (a) that the wrongful acts of the rogue employee occurred during the course of his employment by Morrisons, and, accordingly, (b) that Morrisons was vicariously liable for those wrongful acts. On its analysis of the relevant case law to the facts of the present case, the Court of Appeal was unsympathetic to Morrisons’ challenge.

Doesn’t this leave data controllers horribly exposed to the actions of others? Maybe, said the Court of Appeal – but the solution lies with being properly insured. See paragraph 78:

“There have been many instances reported in the media in recent years of data breaches on a massive scale caused by either corporate system failures or negligence by individuals acting in the course of their employment. These might, depending on the facts, lead to a large number of claims against the relevant company for potentially ruinous amounts. The solution is to insure against such catastrophes; and employers can likewise insure against losses caused by dishonest or malicious employees…”

Anya Proops QC and Rupert Paines act for Morrisons.

Robin Hopkins @hopkinsrobin