Lawyers for supermarket chain Morrisons today urged the UK Court of Appeal to overturn an earlier judgment that made the company partly liable for a criminal data breach that saw 100,000 people’s payroll details published via Tor.
Four years ago a disgruntled Morrisons employee, Andrew Skelton, who had legitimate access to the company’s entire payroll, published its contents online using anonymising network Tor. The breach was widely regarded as one of the worst in recent years.
He posted details of salaries, bank details and National Insurance numbers on data-sharing sites in a move said to have cost Morrisons more than £2m to sort out.
A group litigation order (class action, in plain English) was made against Morrisons that allowed 5,000 of the workers affected by Skelton’s breach to sue their employer. The High Court ruled last year that the supermarket was "vicariously liable" for Skelton’s actions – and would therefore have to pay compensation.
This week Morrisons wants to have that judgment “overturned”, in the words of barrister Anya Proops QC, because the company says that the ruling of High Court judge Mr Justice Langstaff was “highly divergent” from data protection laws passed by Parliament.
“Morrisons itself is completely innocent in respect of this data event,” Proops told Lord Justices Bean and Flaux and the Master of the Rolls, Sir Terence Etherton, one of the most senior judges in the land. The case is being heard in the Court of Appeal, the second highest court in England and Wales.
If Morrisons wins, the effect on data protection law will be massive: it will become more difficult for employers to be held responsible for malicious employees committing data breaches.
As part of its case that it should not be vicariously liable for Skelton’s actions, Morrisons argues that the Data Protection Act 1998 (the law in force at the time of Skelton's crimes) itself excludes vicarious liability.
“As soon as it is recognised that the DPA operates so as to exclude any common law vicarious liability for breach of its provisions, it inexorably follows that vicarious liability is excluded at common law more generally… Parliament has excluded vicarious liability,” Proops told the court this morning. In other words, even though there is a legal principle that employers can be forced to pay compensation for law-breaking by employees, Morrisons says that the law stops that from happening in this case.
The judges were seemingly not impressed with this, interrupting Proops’ opening speech to get a better understanding of Morrisons’ argument. One judge said that if Morrisons can’t convince them that the Data Protection Act stops its workers from claiming compensation, then its case might become very difficult to argue.
“I think to get home on this point, you need to focus on saying where the cause of action is otherwise available for misuse of information, or breach of confidence, depends on the facts and matters which are covered by the DPA’s control,” commented Lord Justice Flaux.
Proops told the court: “You’re absolutely right… What is special about this case is we’re dealing with an area governed by legislation. In that context it’s important to be aware of the burdens to which an employer is subject under that legislation. Or whether Parliament also wanted employers subject to vicarious liability.”
She continued: “The legislators have spoken, they have clearly and decisively drawn the line and it’s not for the common law to draw a different result than that drawn by Parliament,” adding: “If I lose on that point, I lose my primary case.”
The appeal hearing continues this week. Jonathan Barnes, barrister for the class action lawsuit members, will put their case to the court tomorrow.
Following a criminal trial, Skelton was sentenced to eight years in prison for fraud and unlawfully disclosing personal data. ®