In October 2018 the Court of Appeal handed down judgment in the Morrisons data breach case, which involved a disgruntled employee who revealed confidential data about nearly 100,000 members of staff. As the first data breach class action in the United Kingdom, the case is significant because it highlights the delicate debate about the legal doctrine of vicarious liability.
I found this case particularly exciting because I was studying the doctrine of vicarious liability in university close to the time the judgment was delivered (perfect timing, right?). This doctrine says that an employer is strictly liable for the criminal act of an employee provided that the criminal act was committed in the course of employment. In practice, very often the question turns on whether the criminal act was sufficiently connected to employment.
So what happened? A Morrisons employee, acting in his capacity as an internal auditor, was entrusted with confidential payroll information with a view to sending it to external auditors. He posted the data on a peer-to-peer sharing website and subsequently sent it to press. The information included the names, addresses, bank details and salaries of nearly 100,000 staff members. On direct liability he was convicted to eight years in prison. The question for the Court of Appeal was whether Morrisons was vicariously liable for the employee’s breach.
The application of the vicarious liability doctrine sparks debate. In theory, it can be argued that a company can be at fault for trusting the wrong person and it should be held accountable for not selecting, training and supervising its employees appropriately. Also, it can be said that a company creates a risk that something might go wrong through its activity and should compensate victims when such risks materialises.
However, in my view, attempting to attribute fault to the company does not offer a compelling answer in borderline cases, such as this one. The difficulty of quantifying and attributing fault to multiple agents makes it unlikely for clear and definite answers to be reached. The better view in favour of applying vicarious liability seems to be that a company has the practical means to respond satisfactorily when a breach occurs. What I mean by this is that a company is able to mitigate risks by taking insurance and making sure it has the financial means to offer compensation to the victims. However, this is a seriously questionable approach from a justice point of view. Why should the one with the deep pockets pay if they are not guilty per se?
In the Morrisons case, the Court of Appeal agreed with the High Court judge and held that Morrisons was vicariously liable. The judges pointed out that the actions of the employee cannot be disconnected from his employment. Interestingly, the court acknowledged that holding Morrisons vicariously liable for the actions of a rogue employee would aid his aims to harm the company. However, the established law provides that the motive behind the criminal act is irrelevant and that there is no exception available. Also, the court stressed that while “a defendant being insured is not a reason for imposing liability”, companies can and should insure against losses caused by rogue employees. The court seems to have taken a practical approach to applying vicarious liability and this can be viewed by many as another instance of ‘rough justice’.
On a side note, I think this case also underlines the increasing value of data and the power its controlling agent has. Here, confidential information has been used to harm the employer. In the past, I have written about Amazon and how data can be used as a valuable asset to fuel the growth of a company. When the Facebook and Cambridge Analytica story emerged I wrote about how data can be viewed as a trading tool and has real market value.
Understandably, each of these narratives involves very different types of data. However, what they have in common is that they show the diverse purposes data can be used for: sometimes they are clearly legitimate, sometimes they are clearly detrimental and sometimes we just cannot decide yet whether the purpose is legitimate or not.