Various Claimants v WM Morrison Supermarkets Plc  EWCA Civ 2339
Since the General Data Protection Regulations (GDPR) came into force in May 2018, much emphasis has been placed on protecting your organisation from external data breaches. However, the decision in Various Claimants v WM Morrison Supermarkets Plc in late 2018 reminds us that often the greatest enemy lies within.
The case involved a class action brought by 5,518 employees with ten lead claimants; the main question being, was Morrisons Supermarket directly or vicariously liable for an employee-instigated data breach.
In 2014, a disgruntled senior IT auditor formerly employed by Morrisons, Mr Andrew Skelton, copied personal details of nearly 100,000 employees onto a personal USB stick and uploaded them on a file-sharing website. Newspapers were anonymously tipped off about the data breach, which included the names, addresses, and bank account details of the victims. The papers then alerted the Defendant.
Mr Skelton was jailed for eight years.
At first instance, Morrisons was not ruled directly liable for the breach as it had been made by Mr Skelton who was “acting without authority and criminally”. In addition, Mr Skelton was held to be the data controller, not the supermarket. However, Morrison’s was held vicariously liable.
Morrisons appealed on three grounds. One of these grounds being that the Data Protection Act 1998 excluded the application of vicarious liability.
The Court of Appeal disagreed. It held that if it had been Parliament’s intention to exclude vicarious liability, which is a substantial common law and equitable right, it would have expressly done so.
Justice Langstaff stated:
“the concession that the causes of action for misuse of private information and breach of confidentiality are not excluded by the DPA in respect of the wrongful processing of data within the ambit of the DPA, and the complete absence of any provision of the DPA addressing the situation of an employer where an employee data controller breaches the requirements of the DPA, lead inevitably to the conclusion that the Judge was correct to hold that the common law remedy of vicarious liability of the employer in such circumstances (if the common law requirements are otherwise satisfied) was not expressly or impliedly excluded by the DPA”.
Although Morrisons has said it will appeal the decision to the Supreme Court, the law as it currently stands puts employers on notice that data controllers can be liable for a breach, even if they had, as in this case, done everything possible to prevent such a thing occurring. It is important to note that this case was the first of its kind to go before the courts; therefore, the floodgates to such claims may now be flung open. The GDPR places even stricter requirements on data controllers in relation to preventing and handling breaches, which further widens the risk of liability.
How law firms can protect themselves from a data breach
Alongside common scams such as phishing, ransomware, and supply chain compromises, internal and external data breaches are a significant threat to any legal practice. The following are ways law firms can ensure they mitigate their risk of a serious data breach which can wreak havoc on their reputation and lead to crushing fines:
• Make cybersecurity and data protection a priority – because of the sensitive nature of the data they hold, law firms are a lucrative target for attackers. Never become complacent about your cybersecurity policies and make sure they are continuously reviewed and updated, so you stay one step ahead of the criminals.
• Ensure you are fully compliant with the General Data Protection Regulations (GDPR). For example, if, after analysing the way your organisation processes data, it is concluded that a Data Protection Officer is required, make sure one is recruited, either internally or contract an external agency to manage the role for you. In addition, law firms should be conscious of data minimisation and storage limitation (i.e. ensuring that personal data processed only consists of the amount necessary to achieve a specific purpose and that data is held by the firm for as long as required.
• Make sure all sensitive data is encrypted. Only around a third of law firms used encryption in their everyday operations. This carries a risk because although it is not mandatory to encrypt emails and other personal information, failure to do so could result in an unpleasant experience with the Information Commissioner’s Officer should a breach occur.
Cybersecurity threats and data breaches are the 21st century equivalent of thieves smashing your windows and stealing client files filled with valuable information. However, thanks to the internet, the destruction capable of being unleashed, both in terms of the affected firm’s reputation and finances, is now far more devastating.
Therefore, it is vital to take cyber and data security seriously, investing both the time and money to keep abreast of new developments and ensure all your protections are up-to-date.
This is one lesson no one wants to learn the hard way.
We have been helping legal professionals with professional disciplinary and regulatory matters for over 20 years. If you have any questions please call us on 0151 909 2380 or complete our Free Online Enquiry and I will soon be in touch.