Andrew Skelton was a senior auditor in the internal audit department of UK supermarket chain Morrisons. In July, 2013, Skelton was scolded by Morrisons for some minor misconduct. To get even, Skelton leaked payroll, banking and other data about 126,000 Morrisons employees first to an online accessible website, and then to several newspapers. The breach, forensics, investigation, removal, and notification cost the supermarket chain in excess of 3.2 million dollars.
The other employees whose data was leaked sued their employer alleging two things. First, that Morrisons was directly liable for permitting the data to be taken and published in violation of the U.K. Data Protection Act, and in violation of their duty to protect data and for breach of confidence, and second that Morrisons was liable for the acts of its employee under a theory called “vicarious liability.”
On April 1, 2020, the Supreme Court of the United Kingdom ruled that the supermarket chain was not liable for the acts of its rogue employee. Because the trial court had previously ruled that Morrisons was not “directly liable” for the data breach, the Supreme Court ruling meant that the thousands of employees whose data was taken have effectively no recourse for their damages from the breach. It also may mean that consumers in the future (at least those in the UK) may not have the kind of data privacy or protection they think they do under the law. The Supreme Court expressly rejected the holding of the trial court that because “the object of [the privacy law] was the protection of data subjects” and that “if vicarious liability did not apply, the purpose of the [Data Privacy] Directive would be defeated.” In other words, if Morrisons was not liable for what Skelton did, then what’s the point of a privacy law at all?
Vicarious Liability
The principal issue in the case was whether Morrisons the company was liable for the acts of Skelton, its “agent.”
A collective entity, like a corporation can be directly liable for what it does as a corporate act, or it can be vicariously liable for the acts of its employees, agents or third parties. Under UK law, an entity is vicariously liable for the acts of its agents if those acts were done within the scope of the agent’s employment. So if a truck driver gets into an accident, the trucking company is liable for the damages since the driver was hired to, well, to drive a truck, and the employer can’t escape liability simply by saying, “yes, but he was hired to drive a truck safely… so his accident was beyond the scope of his employment.”
On the other hand, if the truck driver steals a truck after hours, and takes in on a “frolic and detour” not within the scope of the driver’s employment, then the employer is not liable for the acts of the agent. Most cases involving vicarious liability lie in between those which are “clearly authorized” by the employer and those which are clearly unauthorized and beyond the scope of the agency. For example, if a gas station employee gets into a fight with a customer when that customer wants to use a printer at the gas station, and the employee assaults the customer, is that “within the scope” of the attendant’s employment? To the company, they would say “no,” we didn’t authorize our employees to fight our customers. To the customer, they would say “yes,” — the guy was sitting in the booth with a shirt with the company logo on it, and restricting access to the company printer by beating the living crap out of customers. Within the scope of employment. In general, if the acts of the agent are for the benefit of the employer (even if not authorized) the employer is liable. If for the benefit of the employee alone, or worse, if the acts are to harm the employer — well, situation unclear. End of law school exam.
DPA and Vicarious Liability
The UK Data Protection Act imposes a duty on entities to protect the privacy (confidentiality) of data that they collect, store, distribute or process. The Morrison case arose before the new EU GDPR and under a previous UK data privacy law which imposed liability on Morrisons as a “data controller” and provided for compensation to victims of data breaches noting that “[an] individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage”. Morrisons argued that, since Skelton was not acting as an agent of Morrisons, HE and not it was the “data controller” here, and therefore Morrisons had no “vicarious liability” for Skelton’s action. They argued that “Skelton was a data controller in his own right in relation to the data which he copied and disclosed, [therefore] it followed that Morrisons could not be under a vicarious liability for his breach of the duties incumbent upon him.” Nonsense, the Supreme Court opined. The company could be directly liable as a data controller for its own acts (negligence) or could be liable for the acts of Skelton IF those acts were “within the scope of his employment (agency). Since the trial court had already ruled that Morrisons was not directly liable, the only question was whether they were liable for Skelton’s actions as their “agent?”
Frolick and Detour
So, is Morrisons liable for the acts of its auditor? Clearly Skelton got the employee data in the ordinary course of his duties. Clearly he had access to the payroll data because he was an internal auditor and because he was charged with transmitting the data to KPMG. His duty to protect and keep the data confidential also arose from the fact that he was an employee of the company which was a “data controller” of the data. If Skelton lost the data at a tube station, or inadvertently mailed the file to some unauthorized person, Morrisons would be liable. If he was negligent, reckless or otherwise failed to protect the data as an agent of Morrisons, Morrisons would have to pay damages.
The lower court found that Skelton’s motive was irrelevant in deciding whether Morrisons had vicarious liability for his act. The Supreme Court disagreed. They noted that “Skelton was not engaged in furthering his employer’s business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings some months earlier.” Thus, the Court concluded “Skelton’s wrongful conduct was not so closely connected with acts which he was authorized to do that, for the purposes of Morrisons’ liability to third parties, it can fairly and properly be regarded as done by him while acting in the ordinary course of his employment.”
So Skelton was not acting as Morrisons’ agent in obtaining and publishing the files, but was acting on his own behalf. Therefore, Morrisons’ could not be liable under vicarious liability for Skelton’s acts.
What it Means
The troubling part of the case was not just that Morrisons was not variously liable for Skelton’s acts but also the fact that the trial court found that Morrisons was not directly liable for its own acts. They gave access to tens of thousands of personnel records to an unreliable employee. They permitted that employee to offload that data onto a thumb drive. The data was not encrypted in any meaningful way such that KPMG and only KPMG could access and use it. They had no meaningful process for discovering the data exfiltration. They failed to supervise their own employee, especially after the employee was reprimanded and posed at least an increased threat. Maybe these actions were negligent, maybe not. It’s clear that Morrisons, as a company and as a fiduciary for its employee’s data failed to protect that data and failed to prevent that data from being misused. Whether the misuse was due to the actions of a rogue employee, a hacker, or some other cause matters not one whit to the data subjects who expect the data to be protected. Now the DPA and GDPR does not mandate “absolute” security, and therefore not all data breaches are or should be actionable. In some ways, the case allows Morrisons to have it both ways. Skelton was acting within the scope of his employment when he accessed the thousands of records. He was perfectly permitted to look at them. Because he was supposed to transfer them to KPMG, it was reasonable for him to download and transfer the records. So Morrisons was not irresponsible when it allowed him — within the scope of his employment — to do all of these things. Once Skelton accessed and downloaded the records, his act of posting and transferring them was outside the scope of his employment, and therefore not Morrisons’ legal responsibility. See? Pretty cool.
This ruling could obviate any duty on the part of data controllers to identify and mitigate insider threats. By definition, insiders have authorized access to data — they are insiders. They use that data for their own purposes — they are a threat. While the failure to have an insider threat program might give rise to negligence liability, that didn’t seem to be an issue here. In fact, if you have an insider threat program which fails to detect a person like Skelton, you might have more liability than if you have no such program at all. At the end of the day, Morrisons paid over $3.2 million USD in responding to the Skelton breach. But none of that went to compensate its employees. As a result of this ruling, none of it will. So best advice for data subjects, “keep calm and carry on.”
Mark Rasch is an attorney and author of computer security, Internet law, and electronic privacy-related articles. He created the Computer Crime Unit at the United States Department of Justice, where he led efforts aimed at investigating and prosecuting cyber, high-technology, and white-collar crime.