Morrisons' data leak A lesson for employers
LAYTONS LLP Our Sectors • • • •
Technology, Communications & Digital Media Construction, Land & Planning Personal Affairs, Private Wealth & Philanthropy Retail & Hospitality
Our Expertise • • • • • • • • • • • •
Banking & Finance Charities Commercial & Corporate Data Protection & Information Disputes Employment & Immigration Family & Matrimonial Insolvency & Restructuring IP & Technology Real Estate Tax Trusts, Estates & Private Client
Morrisons' data leak | A lesson for employers
Morrisons' data leak A lesson for employers
At the end of 2017, judgment was handed down in the important case of Various Claimants v Wm Morrison Supermarket Plc (2017), which concerns vicarious liability resulting from criminal misuse of data by an employee. The trial was only concerned with whether or not Morrisons was liable; damages will be assessed at a separate hearing. In this article we look at the facts of the case and what lessons can be learnt from the judgment. This case is timely given the upcoming enforcement date of the European General Data Protection Regulation (“GDPR�), under which the frequency of employee group actions is expected to increase. Michael Edgar
Rebekah Parker
Solicitor michael.edgar@laytons.com +44 (0)20 7842 8091
Associate Partner rebekah.parker@laytons.com +44 (0)20 7842 8000
laytons.com | 3
Morrisons' data leak | A lesson for employers
Background
Facts
On 12 January 2014 a file containing personal details of
Morrisons had an internal audit team, which at the time of
99,998 employees of Morrisons was posted on a file sharing
the data leak was led by a Mr Chowdhery. It had within it an
website. Shortly after that, links to the website were also
IT audit section and that team was headed up by Graham
placed elsewhere on the web.
Daniels. Two or three IT auditors, specifically recruited for the purpose by Mr Daniels, reported to him. One of those was
The data consisted of the names, addresses, gender, dates
Andrew Skelton, a Senior IT Auditor employed by Morrisons.
of birth, phone numbers, national insurance numbers, bank sort codes, bank account numbers and the salary that the
Mr Skelton was disgruntled after receiving a verbal warning
employee in question was being paid (“HR Data”).
from Morrisons following its discovery that he had been
On 13 March 2014, a CD containing a copy of the HR Data
phenylalanine, occasionally using Morrisons’ post room (at his
was received by three newspapers in the UK, including the
own expense).
operating a sideline business selling the (lawful) slimming drug
Bradford Telegraph and Argus, a newspaper based in the city in which Morrisons has its head office. The person sending
On 19 March 2015, Mr Skelton was arrested. He was charged
the CD did so anonymously, purporting to be a concerned
under the Computer Misuse Act 1990 and under Section
person who had worryingly discovered that payroll data
55 of the DPA, tried at Bradford Crown Court in July 2015,
relating to almost 100,000 Morrisons employees was available
and convicted. He was sentenced to a term of 8 years’
on the web. It gave a link to the file-sharing site.
imprisonment, which he is currently serving.
The information was not published by any of the newspapers concerned. Instead, the Bradford Telegraph and Argus told Morrisons what it had received.
High Court judgment Mr Justice Langstaff found that:
Group litigation
• the DPA did not impose primary liability upon
A group action was brought against Morrisons by 5,518
• that Morrisons had not been proved to be at fault by
Morrisons;
employees, claiming compensation from Morrisons for breach
breaking any of the data protection principles, save in
of statutory duty under the Data Protection Act 1998 (“DPA”),
one respect which was not causative of any loss; and
breach of confidence and misuse of private information.
• that neither primary liability for misuse of private information nor breach of confidentiality could be established. However, applying principles laid down in the 2016 Supreme Court case of Mohamud v William Morrison Supermarkets plc, Mr Justice Langstaff held that Morrisons had secondary (vicarious) liability for Mr Skelton’s actions.
4 | laytons.com
Morrisons' data leak | A lesson for employers
Principle 7 of the DPA Principle 7 of the DPA (“Principle 7”) provides that:
4. Mr Skelton was supplied with a separate USB stick, from KPMG, encrypted by it, on to which he later copied the
“Appropriate technical and organisational measures shall
data.
be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
5. Mr Daniels did not check that Mr Skelton had deleted the HR Data from his work laptop until March 2014 -
after the Bradford Telegraph and Argus told Morrisons In this case, Morrisons was found not to have primary
about receiving a CD containing the HR Data, and a link
liability for failing to discharge its duty to take appropriate
to the file-sharing website, in the post.
organisational measures to guard against unlawful disclosure and/or data loss. This was because the failure that the Court
The Court did not find that the actions contained in bullet
identified did not, on the facts, cause or contribute to the data
points 1 to 4 above constituted a Principle 7 failure by
leak carried out by Mr Skelton. Nonetheless, the Court did
Morrisons.
identify a data security failure by Morrisons. Further, the Court did not consider that Mr Daniels, or any The relevant chain of events with regard to the leaked HR
member of Morrisons’ management, could properly be
Data (as found by the Court) was as follows:
criticised for not asking Mr Skelton before mid-December whether the data had been deleted, or checking that it had
1. On 1 November 2013, Morrisons’ external auditor,
been. It was reasonable to keep the information in the hands
KPMG, requested a number of categories of data from
of Mr Skelton, as Morrisons thought securely, for a short
Morrisons, including the HR Data. This was held in
period after transferring it to KPMG: there might need to be
different places and it was convenient that the data be
queries raised, which it would be easier and more efficient for
collated before transmission to KPMG. The request
Skelton to answer from the material stored on his work laptop
came to Mr Daniels, who delegated the collation task to
rather than having to request it again from a colleague with
Mr Skelton.
appropriate superuser access.
2. Only a limited number of employees (with “superuser”
access) had access to the whole of the HR Data, which
However, the Court found that there was a Principle 7 failing by Morrisons with regard to bullet point 5 above.
was held in a secure internal environment created by proprietary software known as “PeopleSoft”. 3. Since the HR Data was too large to be internally emailed to Mr Skelton, a Morrisons employee (with superuser
access) physically carried the data to Mr Skelton on an encrypted USB stick. The data was transferred from that USB stick on to Mr Skelton’s work laptop, which was itself encrypted.
laytons.com | 5
Morrisons' data leak | A lesson for employers
Morrisons’ Principle 7 failing
In this case, the Court was considering whether Morrisons,
The Court found that there was no organised system for
employee, Mr Skelton.
as the employer, was vicariously liable for the actions of its
the deletion of data such as the payroll data stored for a brief while on Mr Skelton’s computer and that there was no
Whilst the requirements to establish vicarious liability are
failsafe system in respect of it. Accordingly, to this extent,
beyond the scope of this article, it is important to note that
Morrisons fell short of the requirements of Principle 7. The
Morrisons were held to be vicariously liable despite the fact
Court found that, where data is held outside the usual secure
that Mr Skelton had leaked the material away from his place
repository used for it (in the case of the payroll data, within the
of work using his personal computer.
PeopleSoft system), there is an unnecessary risk of proliferation and of inadvertent disclosure (or indeed deliberate action by an employee) revealing some of that data. Morrisons took this risk, and did not need to do so – it could have adopted organisational measures, which would have been neither too difficult nor too onerous to implement, to minimise it.
Lessons to learn from this case 1. The High Court found that, while Morrisons did not
itself breach the DPA, it was vicariously liable for the unlawful actions of its rogue employee. The next stage,
Specifically, Morrisons had failed to put in place the
subject to the appeal that Morrisons intends to pursue,
organisational measure of having Mr Skelton’s manager check,
is for the Court to decide the level of damages to be
after a reasonable interval, that Mr Skelton had deleted the HR
awarded to the 5,518 employees. Presuming the case
Data from his work laptop. In these particular circumstances, a
proceeds to a quantum hearing, the total damages
reasonable interval was considered to have been around one
could be substantial, particularly as the claimants do not
month after KPMG had been provided with an encrypted copy
have to show they have suffered any financial loss in
of the HR Data, to assist with handling any follow-up questions
order to be awarded damages. Accordingly, businesses
from KPMG regarding the HR Data.
may wish to review their existing insurance policies to consider whether their cover extends to vicarious
However, while the Court found that Morrisons had failed,
liability and, if so, what the limit is on cover. If no such
in this one respect, to discharge its duty to take appropriate
policy is in place, businesses may wish to consider
organisational measures to guard against unlawful disclosure
obtaining one.
and/or data loss (therefore falling short of Principle 7 in this respect), this failure neither caused nor contributed to the data leak which occurred. This was because it was probable that
2. While the Principle 7 failure that the Court identified is fact-specific, the principle that businesses should
Mr Skelton copied the HR Data from his work laptop to his
have an appropriate system in place for the deletion
personal USB stick only 17 days after he provided a copy of it
of personal data (and in particular for sensitive data)
to KPMG, with a view to his later unlawfully leaking the data.
is of more general application. This responsibility will continue under the GDPR, which replaces Principle
Vicarious liability
7 with a similar principle known as the principle of “integrity and confidentiality”. Businesses should review their data retention and deletion policies to mitigate
Vicarious liability refers to a situation where someone is held
risks posed by a situation arising as in this case, or, if
responsible for the actions or omissions of another person.
they have no such policy, should put one in place.
6 | laytons.com
Morrisons' data leak | A lesson for employers
Data Protection & Information The rise of new media has increased the information issues that we all face. Our strong and experienced multi-disciplinary information law practice has risen to the challenges presented by the internet, search engines, the blogosphere and "Big Data". We cover all aspects of information law, from data protection, confidentiality, cyber-security and privacy issues to freedom of information. Increasingly, the relevance of new media to the related field of reputation management also engages our information law skill-set.
Our Team Simon Baker
Michael Edgar
Partner simon.baker@laytons.com +44 (0)20 7842 8000
Solicitor michael.edgar@laytons.com +44 (0)20 7842 8000
Esther Gunaratnam
Ciara McCroary
Partner esther.gunaratnam@laytons.com +44 (0)20 7842 8000
Trainee Solicitor ciara.mccroary@laytons.com +44 (0)20 7842 8000
Jun Park
Rebekah Parker
Solicitor jun.park@laytons.com +44 (0)20 7842 8000
Associate Partner rebekah.parker@laytons.com +44 (0)20 7842 8000
Geraint Thomas Partner geraint.thomas@laytons.com +44 (0)20 7842 8000
7 | laytons.com
GDPR | Transition Service There are only a few months before the GDPR comes into effect, bringing into force a number of changes to existing data protection law and imposing significant new requirements on organisations. We are pleased to offer our GDPR Transition Service, which we can tailor to your organisation’s specific requirements, and which is designed to make the transition to compliance with the new regime as painless as possible.
Our Service The support we provide includes a Privacy Impact Assessment, Implementation Plan, guidance and training for different types of companies and departments and staff within them, contract templates and amendments and ongoing support.
Michael Edgar Solicitor michael.edgar@laytons.com +44 (0)20 7842 8000
Geraint Thomas Partner geraint.thomas@laytons.com +44 (0)20 7842 8000
Learn More →
This information is offered on the basis that it is a general guide only and not a substitute for legal advice. We cannot accept any responsibility for any liabilities of any kind incurred in reliance on this information.
LAYTONS
LLP
London
Manchester
Guildford
2 More London Riverside London SE1 2AP +44 (0)20 7842 8000 london@laytons.com
22 St. John Street Manchester M3 4EB +44 (0)161 214 1600 manchester@laytons.com
Ranger House, Walnut Tree Close Guildford GU1 4UL +44 (0)1483 407 000 guildford@laytons.com
www.laytons.com
Š Laytons LLP which is authorised and regulated by the Solicitors Regulation Authority (SRA Nº 566807). A list of members is available for inspection at the above offices.