If we were to hazard a guess at what furrows the brows of Data Protection Officers (DPOs) when considering data breach risk, following the Court of Appeal's judgment in WM Morrison Supermarkets Plc v. Various Claimants [2018] EWCA Civ 2339, the "insider threat" should be at the forefront of our minds.

Below, we offer our views on the Morrisons case and some practical tips on how to mitigate these risks.

The Morrisons litigation

The case concerned the actions of a disgruntled employee who published the details of more than 99,000 staff on a file-sharing website. He then sent a copy of the file to three newspapers. More than 5,500 staff commenced claims for damages. They also claimed that Morrisons was vicariously liable.

If you had only read the hyperbolic media coverage emerging from the Court of Appeal decision, you could be forgiven for thinking that the judgment was surprising or unusual. Whilst it may seem surprising that Morrisons should be held liable for an employee's conduct, which also amounted to a criminal offence, the legal principles in this area are designed around giving a claimant or claimants (in this case, a class of data subjects) an adequate remedy.

In a nutshell, the judgment reinforces the scope of the principle of vicarious liability under English common law. Since the Supreme Court's decision two years earlier in Mohamud v. WM Morrison Supermarkets plc [2016] AC 667, the approach has been to draw lines very broadly around the "field of activities" with which the employee is entrusted. In determining the closeness of connection between the wrongful conduct and this field of activities, the Courts are leaning towards principles of social justice which favour a payout for a claimant or claimants from the (presumably insured) defendant employer. The availability of insurance for the defendant is, as the Court of Appeal sees it at paragraph 78 of its judgment: "a valid answer to the Doomsday or Armageddon arguments put forward...on behalf of Morrisons".

Thus, in the Morrisons decision, the Court of Appeal: (1) reiterated the core principles of vicarious liability; (2) dismissed arguments to the effect that making a finding would impose an onerous burden not only on Morrisons but on future employers in the same position; and (3) followed through from the findings of fact in the High Court that there was an "unbroken chain" of events between Mr Skelton's employment and his wrongful conduct – to find Morrisons vicariously liable for his actions.

What types of claim?

The compensation claim in Morrisons is founded on three heads of claim: (1) a breach of statutory duty under the Data Protection Act 1998 (DPA 1998), leading to a claim under s13 DPA 1998; (2) a claim under the tort of misuse of private information; and (3) an equitable claim for breach of confidence.

Incidentally, the first and second grounds of appeal in the Court of Appeal dealt with the argument that claims (2) and (3) above were excluded by the DPA 1998. This argument failed on the particular interpretation of the statute, but the door is open to the argument being run again in a post-GDPR landscape.

Technically speaking, the heads of claim listed above are Mr Skelton's breaches, for which Morrisons is held vicariously liable.

To recap: in the High Court decision ([2017] EWHC 3113(QB)), Mr Justice Langstaff determined that Morrisons itself had not breached the DPA 1998 (save for one minor breach of Principle 7 of the Data Protection Principles (i.e. Security) which did not lead, causally, to any loss as there was no evidence that it would have prevented Mr Skelton's criminal misuse of the data). The High Court furthermore decided that Mr Skelton, in fact, became the controller of the data at the relevant moment when he was carrying out his wrongful actions.

For DPOs, it will seem counterintuitive that, although Mr Skelton was the (separate) data controller and therefore completely in charge of deciding the purposes and means of data processing i.e. what he did with the data, the doctrine of vicarious liability still fixes his employer, Morrisons, with liability for his actions. Nevertheless, this is the conclusion to which the Morrisons case leads us.

On the other hand, this situation would not have arisen if Mr Skelton had been an external cyberhacker, leading to a curious situation where data subjects will actually be more readily able to claim compensation for their losses from an organisation where the data breach is an "inside" job, as compared to an "outside" job.

Data breach litigation and the General Data Protection Regulation (GDPR)

If the Morrisons data breach had occurred today, it would be litigated under the GDPR and local Member State laws – in particular, the right to claim compensation for material or non-material damage (Article 82) and the new provisions around group representative actions (Article 80).

Under the GDPR, there are two particular further points of note:

  • Article 29 GDPR: the processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.
  • Article 32(4) GDPR: the controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.

Could there be an argument run that Article 29 GDPR excludes the possibility of vicarious liability because it specifically instructs "any person acting under the authority" not to process the data except on instructions from the controller? Furthermore, that Article 32(4) was designed to create a specific (and limited) duty for the actions of employees, thus excluding the doctrine of vicarious liability under English common law?

Practical Steps

Here are a few steps to help manage the risk:

  • Monitoring – consider whether current employee monitoring is adequate and deploy Data Loss Prevention software.
  • Repositories – use designated repositories to hold HR and other personal data.
  • Data mapping – this should have formed part of your GDPR compliance programme and perhaps forms part of your Article 30 records. If your organisation is not aware of where data is held (e.g. in which repositories) and under which security measures, how much harder will it be to prevent a data breach of this nature?
  • Robust information security framework – this should include not only organisational measures (e.g. having policies in place which outline expectations of employee conduct around IT) but also technical measures (e.g. data loss prevention software, the encryption and password protection of data and the imposition of roles-based permissions and access controls).
  • Training and awareness – this should also have formed part of your GDPR compliance programme, but should be regularly reinforced, particularly in order to mitigate the risks of "insider threat".
  • Data breach – inevitably, there will be little that can be done to deter the most determined malicious insider. Therefore, in the event of a data breach, you should have procedures (which have been tested via a data breach simulation exercise) in place. Ensuring that there is good communication and clear escalation lines may mean the difference between unauthorised access and a large-scale leaking of data onto the Dark Web, if caught early enough. Furthermore, there is a need to act quickly, as under GDPR it is now necessary for data controllers to consider whether notification will be required within 72 hours of the controller "becoming aware" of a data breach.

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.