UK - Supreme Court sets some limits on data breach claims

The last few years have seen a significant increase in the potential liability for a data breach. That includes not only proposals for much larger regulatory fines but also class actions by individuals brought on both an opt-in and an opt-out basis.

The Supreme Court has just brought one such action to a juddering halt, deciding that Morrisons Supermarkets was not liable for a malicious data breach carried out by one of its employees. While this will be welcome news for many businesses, it is too early to tell if this means an end to the UK’s burgeoning data breach compensation industry.

The background

In brief, one of Morrisons’ internal audit team, Mr Skelton, was asked to provide employee data to KPMG for audit purposes. Unfortunately, Mr Skelton had a grudge against Morrisons so also secretly uploaded that data to a flash drive and leaked it on the internet in order to frame a co-employee who had given evidence against him in a disciplinary hearing and to generally revenge himself against the supermarket.

The information affected nearly 100,000 employees and included their salary, bank account, national insurance and address data. Around 9,000 affected employees joined a Group Litigation Order against Morrisons claiming breach of misuse of private information and breach of confidence, and breach of the Data Protection Act 1998.

Was Morrisons liable?

The claim under the Data Protection Act 1998 was dismissed on the basis that, given Mr Skelton’s role, there was little more Morrisons could have done to prevent the breach. However, the Court of Appeal found that Morrisons was vicariously liable for Mr Skelton’s actions on the basis there was  an “unbroken thread” between his actions and the sharing of the data online. As Mr Skelton had been trusted with handling the confidential data and sharing it with KPMG, the subsequent disclosure of that information online was sufficiently connected to his employment for Morrisons to be liable.

The Supreme Court overturned that finding. It held that the Court of Appeal had incorrectly applied the principles for vicarious liability. On the facts, the Supreme Court was satisfied that the employee had not been furthering Morrisons’ business when committing the wrongdoing. Rather, he was pursuing a personal vendetta.

Put more prosaically, Mr Skelton was on a “frolic of his own” and therefore his actions were not so “closely connected” with his authorised duties that Morrisons could be fairly and properly held accountable for Mr Skelton’s actions. In coming to this conclusion, the Supreme Court was keen to emphasise this was simply the application of existing well-established principles to this particular set of facts, albeit it was also an opportunity to address some of the misunderstandings about the Supreme Court’s earlier decision on vicarious liability in Mohamud v WM Morrison Supermarkets [2016] UKSC 11.

Does this mean an end to data breach class actions?

While the judgment will be welcome news for many businesses, the decision relates to a relatively unusual set of facts and does not necessarily mean an end to this type of claim. In particular:

  • Employers can still be vicariously liable for data breaches by their employees. The courts will apply the ordinary principles of vicarious liability in assessing whether that liability arises. There is no exception to those ordinary liability principles merely because the damage has been caused by disclosure of personal information.

On a slightly different set of facts, Morrisons might well have been liable. For example, if Mr Skelton had a different role and been responsible for maintaining a page on Morrisons’ website where employee details were listed then it seems much more likely that there would be a close connection between his authorised duties and the breach.

That means the scope of potential liability for data breaches remains significant - a single act by an employee disclosing personal data in the course of their employment could result in a group action from a considerably large number of claimants.

  • Data protection laws do not exclude vicarious liability. A second question before the Supreme Court was whether the Data Protection Act 1998 expressly or impliedly excluded vicarious liability where breach of the Act occurs.

Having found that Morrisons was not vicariously liable for the employee’s actions, it was not necessary for the Supreme Court to answer that question. However, the court concluded that there was no reason to exclude the principles of vicarious liability from breaches of the Data Protection Act 1998. That finding is likely to apply equally to the General Data Protection Regulation and Data Protection Act 2018 (i.e. the current UK data protection law).

  • Cleaning up data breach can be costly. Morrisons spent over £2.26m in responding to the incident, much of it on identity protection for its employees, and likely spent a considerable amount of money defending this claim (not all of which will necessarily be recoverable).

That reinforces the need to keep data access controls and restrictions under close review, particularly at a time like this when the workforce at large is working remotely, and many employees are not under direct management supervision. Appropriate monitoring policies and data loss prevention systems are key to preventing breach events too.

What didn’t we find out?

The claims brought by the Morrisons employees were for “distress, anxiety, upset and damage” caused by mishandling of their personal information.

Had the Supreme Court found Morrisons liable, there would have been a finding on the quantum of liability. That would have provided a helpful benchmark to those wanting to understand more about how our courts quantify compensation for data breaches.

Many of the Morrisons employees would presumably have been unable to show that they had suffered any actual financial loss or harm, or indeed any real harm at all, suggesting their compensation should have been minimal (although, with c.100,000 potential claims, Morrisons’ aggregate liability would likely have been significant and possibly in the tens of millions of pounds).

However, we will need to wait for a judgment in one of the other claims making their way through our courts before we learn more about how to quantify compensation for breaches that do not cause much meaningful damage or distress.

What next for the data breach compensation industry?

There are still a number of significant class actions on foot including the opt-out representative action against Google, which relates to the so-called Safari Workaround rather than a data breach as such and will now be heard by the Supreme Court. Similarly, the opt-in Group Litigation Order against British Airways appears to be progressing (though the representative action against Equifax following its data breach is reported to have been withdrawn).

Whether the Supreme Court’s decision in this case marks a wider disapproval of this type of claim remains to be seen. 

By Greg Palmer