The Morrisons data breach and GDPR compliance
Miriam Bruce, February 19, 2018
Various claimants v WM Morrisons Supermarket brings data privacy issues into sharp focus
With GDPR implementation on the horizon, one of the biggest issues for employers to grapple with during 2018 will be protecting the data privacy rights of their employees.
In Various claimants v WM Morrisons Supermarket the High Court found that Morrisons was vicariously liable for deliberate and criminal disclosure by a rogue employee of personal data belonging to his co-workers.
The employee was an internal auditor for Morrisons. As part of his role he was entitled to have access to personal data about other employees. He felt he had been unfairly disciplined over a conduct issue and as a result became disaffected. A couple of months later Morrisons' external auditor asked for payroll data for audit purposes and the employee was asked to handle the request. The data was, at Morrisons' request, downloaded onto the employee's work computer. He subsequently passed the data to the external auditor but didn't delete it from his computer. Some weeks later he uploaded the data onto the internet, posting it under the name of another employee.
The individuals whose personal data had been wrongly disclosed sued Morrisons, arguing that it was the data controller and so was responsible for the breach. Alternatively, if it was not the data controller it was vicariously liable for the wrongful actions of the rogue employee.
The High Court accepted that Morrisons was not the data controller at the point at which the individual was loading the data onto the website. Similarly, although the Court accepted that Morrisons should have been more proactive in ensuring that the data on the employee's computer was deleted as soon as it was no longer needed, this did not actually cause the damage. The Court's view was that the employee would have sought to circumvent any precaution put in place, given that this was a deliberate breach designed to cause problems for Morrisons.
That left the claim for vicarious liability. Whether an employer is vicariously liable depends on there being a sufficiently close connection between what the employee was employed to do and their wrongful actions. Here the Court accepted there was a sufficient connection and so Morrisons was vicariously liable. The employee had been given access to the data through work and been deliberately entrusted with the confidential information. He had used another employee's name to post the information on the Web. His motive was irrelevant in deciding whether there was vicarious liability.
Given that around 100,000 employees were affected by this data breach, compensation could be significant. Importantly, it is not necessary for the affected employees to show that they have suffered financial loss. Individuals can claim for distress merely from the disclosure of their data.
This case has worrying implications for employers. Here the employee's actions were entirely deliberate, and even though none of the employer's actions led to the data breach it was still held liable. Given the employee's actions were designed to cause problems for Morrisons, by passing liability to the supermarket, the Court's ruling has in many ways furthered the employee's wrongful aims. Unsurprisingly, Morrisons intends to appeal so employers will be watching carefully to see what happens next.
While not decided under the principles of the GDPR, this case is representative of a new data privacy environment in the workplace, with greater accountability for employers and increased employee rights. More data breach claims may follow, particularly given that it is not necessary for an individual to show loss to claim compensation.
What is clear from the case is that employers will be responsible for the employee data they hold and must apply the strictest possible controls to try to mitigate the risks presented by rogue individuals. Such controls could include: limiting the number of people who have access to personal data for work purposes, ensuring individuals who have such access only have it for a limited period, and that data security measures are in place to flag misuse of the data. Further, the personal consequences of data breaches should be outlined to those who need to have access to colleagues' personal data for their job.
Miriam Bruce is a senior associate in the London employment group at Mayer Brown