On January 12, 2017, a U.K. court rendered a decision in a class action that could affect the way U.K. courts view vicarious liability for data breaches. In Various Claimaints v. Wm Morrisons Supermarket PLC, an employee of the company intentionally leaked personal information (including names and bank information) of about 100,000 other employees. This employee was a senior IT auditor who was frequently trusted with sensitive information as a part of his job. In January 2014, he leaked the data in question over the Internet. In March 2014, he sent the data on a CD to several newspapers anonymously pointing out the January leak. One of the newspapers alerted the company, who quickly took action to remove the online data and remedy the breach.

The employee was arrested and charged, found guilty, and received prison time. However, around 5,000 of the breach victims also decided to file the class action against Morrisons. The judge concluded that while the company was not primarily liable for the data breach, vicarious liability still existed. Morrisions obviously disagreed with this finding and challenged the judge’s ruling. The appeals court upheld the ruling. On April 15, the Supreme Court decided to hear this issue. The outcome of this will determine whether an organization can be liable for employees acting of their own accord and defying company protocol. This decision will also help expand or limit the definition of what is considered acting within the “course of employment” for purposes of vicarious liability cases. Finally,the Supreme Court’s review will explore when an organization’s data breach controls are sufficient to preclude vicarious liability.

Summary of Decision

In the class action, the claimants argued that Morrisons was primary liable and was also vicarious liable under the U.K. Data Protection Act and common law. The court focused on a few important events and factors leading up to the breach to reach a decision on both matters:

• In May 2013, the employee received minor discipline for an unrelated incident. He expressed to the company that he was unhappy about this. During the criminal case for the breach, the judge concluded that this incident fueled a grudge against the company and was the reason he put the data breach in motion.
• He acted as a liaison with the company’s external auditor. The investigation showed that the external auditor provided him with a USB to transfer sensitive data to them. However, sometime in November 2013 before giving the USB to the external auditor, he copied that data onto his personal computer.
• In December, he tried to access a website from his work laptop that would disguise his identity over the Internet. Morrisons did not discover this until investigation after the breach occurred.
• He also set up a fake email account and purchased an untraceable cell phone to use when he carried out the data leak.
• There was evidence he wrote a resignation letter in November-December 2013.

Based on these facts, the judge concluded that the employee was definitely plotting to carry out the data breach for some time, and would use his position at the company to do this. The question then became whether Morrisons could be liable in any way for an employee who was acting of his own accord and going against company protocol. The court found no primary liability, noting that being a data controller does not impose absolute liability. The company was not aware of the employee’s independent criminal actions and had no reason to know since they regularly trusted him with sensitive information as a part of the job. Even though the employee expressed that he was unhappy about the May 2013 discipline, his reaction did not give the company any reason to believe he would retaliate. The company had security safeguards in place as well that the court mostly found appropriate, and those that the court felt could have been updated would not have prevented the breach in this situation where independent criminal acts transpired.

However, the court did find a sufficient basis for vicarious liability. Upon review of the court’s decision, the case law shows there is a fine line between when vicarious liability is appropriate. The judge performed an extensive review of relevant case law, and while this aided in determining the outcome he concluded that vicarious liability would always be highly fact-intensive. Vicarious liability means that an employer can be liable for the actions of an employee.

The court adopted the approach the vicarious liability exists when an employee commits a wrongful act within the course of employment that is closely connected to the employment, even if the act is committed independently. The company claimed that the employee’s actions were far removed from his employment, personally motivated, and based on revenge. The court advanced that: 1) based on the timeline, the chain of events between his work and the data breach were continuous and unbroken, 2) Morrisons trusted him with this data at its own risk, 3) although the data breach was not authorized, the act was closely related to his normal tasks of holding and transferring sensitive data, and 4) he was acting as an employee when he received the data.

Predicted Appeal Outcomes and Implications

U.K. companies and legal professionals need to take note of what happens with the Supreme Court since this decision is crucial in the realm of data security law. If it upholds the decision, more companies could face liability for data breaches by their employees even when they have implemented comprehensive data security protocols and policies. If this occurs, companies should consider evaluating and updating their security programs, increasing employee monitoring, and determining risk factors. The scary thing is that even after doing all this it can be very hard to catch an employee who decides to turn against their employer and perpetrate a data breach. Future cases will likely evaluate when security is sufficient enough to preclude vicarious liability.

Interestingly, the high court judge noted his uneasiness in making the company financially liable since it was in essence advancing the employee’s initial goal of harming the company. While the appeals court did not seem to find this sufficient to overturn the ruling, it will be noteworthy to see if the Supreme Court addresses this point. Regardless, it is hard to predict what the Supreme Court will ultimately decide in this matter.