In October 2018, the Court of Appeal held Morrisons vicariously liable for an employee’s data breach. The case represents the first data leak class action in the UK. Seeking revenge against his employer, the disgruntled employee posted the names, bank account details, salaries and national insurance details of nearly 100,000 employees online. It was acknowledged that despite Morrisons having robust protections in place, these measures were still insufficient in preventing the breach. The supermarket chain now potentially faces a vast compensation pay-out should their appeal to the Supreme Court be unsuccessful.
Perhaps the most interesting point to be taken from the judgment is the recommendation that organisations should be insuring against data breaches, rather than merely safeguarding against them. A question that will be asked by many organisations will be whether their employer’s liability insurance would adequately cover the type of damage presented under the Morrisons claim. The answer is, in theory yes, but this will largely depend on whether these policies are wide enough to cover mere emotional damage. A brief summary of the issues arising from the case is outlined below.
Breach of Duty
The High Court judgment confirmed that the standard of security measures expected of a company should be relative to its headcount. The judge reasoned: “…with economies of scale, measures that might be prohibitively expensive if analysed per head of a small workforce may seem relatively insignificant if spread over the headcount of a large corporate employer.“. Given the number of Morrisons’ employees, the standard of their security measures was therefore expected to be high.
The Claimants submitted a number of arguments as to how Morrisons breached their security obligations under the Data Protection Act 1998 (“DPA”). It was noted that the employee responsible for the leak, Mr Skelton, had recently received a disciplinary sanction and was, to the knowledge of Morrisons, displeased with the way in which his investigation had been handled. In this context, the Claimants argued that Morrisons’ failure to subsequently deny Mr Skelton access to the data, together with their failure to adequately manage and monitor him following the investigation, was a breach of their DPA obligations.
However, the judge disagreed. Restricting Mr Skelton’s access on the basis that he had recently received a first verbal warning, the lowest level of formal sanction available, would not have been proportionate. There was no reason to suggest that Mr Skelton could no longer be trusted following the disciplinary matter. Moreover, it is neither practicable nor justifiable for large organisations such as Morrisons to routinely monitor and scrutinise its employees to the extent that that Claimants claimed was required.
Whilst the judge established that Morrisons’ failure to ensure that personal data is regularly deleted from their software constituted a breach of the DPA, it was held that this failure did not cause or contribute to the data leak. The judge observed that any system which allows human access to sensitive data inevitably harbours a high degree of risk that such data may be disclosed or mishandled by a rogue employee. There was therefore little else Morrisons could have done to prevent Mr Skelton from releasing the data to the public.
The fear will therefore be that this decision, coupled with increasing public concern surrounding data handling, may lead to a surge in data protection claims against even the most prudent organisations who, in reality, can do little to prevent them. The solution, according to the judgment, is for employers to insure against such eventualities. But what exactly should employers be insuring against?
Distress under GDPR
The GDPR entitles data subjects to be compensated for non-material damage caused by an infringement. This can include claims for distress, reputational damage, embarrassment, inconvenience or anxiety ̶ sometimes referred to as ‘moral damage’. Whilst this type of damage was afforded under previous legislation, compensatory awards for distress had been limited to instances where pecuniary damage had also been suffered as a result of the breach. It was not until the landmark case of Google Inc. v Vidal-Hall (2015) where an award for distress alone was granted without the need for claimants to prove pecuniary loss. This principle, now set in stone through Article 82 GDPR, has set the framework for cases such as Morrisons where claimants can sue on the grounds of upset and anxiety, without also proving there has been financial loss. It is worth noting, however, that the courts have since clarified that no award shall be granted for a mere data breach alone. Some kind of damage, whether financial or not, must always be established.
Turning back to insurance, employer’s liability or public liability insurance policies generally cover claims arising out of physical or bodily injury. Whether or not individual policies have the scope to cover non-material damage presented under GDPR would therefore need to be considered carefully. It may be necessary for employers to purchase a separate, bespoke cyber insurance policy. This additional policy cover typically entitles the policy holder to recover first party losses, for example the costs in notifying each data subject of the breach, along with third party costs involved in the breach and losses by commercial crime. However, employers will need to ensure these policies are wide enough to cover for the acts of all individuals for whom the organisation may be vicariously liable.
In an employment law context, the case highlights the need for employers to be prudent when dealing with employees that have been the subject of disciplinary investigations. Depending on the severity of the sanction, and the seniority of the employee in question, it may be advisable to provisionally adopt additional levels of security clearances or even temporary employee monitoring to reduce the risk of rogue behaviour. However, it is clear that employers must act cautiously in doing so and it is advised that legal advice is first obtained.
Given that Morrisons will be appealing the decision to the Supreme Court, it remains to be seen how the judgment will impact the insurance market. Regardless, the case serves as a reminder that employers must safeguard their digital infrastructure robustly against the risk of an attack. With the knowledge that any such mechanisms may one day be subject to judicial scrutiny, now is the time for businesses to be seeking professional advice.