"Data Breaches… Armageddon…" – as announced by the Three Horsemen

Stuart Ritchie


"Data breaches… Armageddon…" – Morrisons v Various Claimants, [2018] EWCA Civ 2339 at para 78.

Caveat: I confess at the outset that this quotation, though technically accurate, fails truly to reflect the tenor of the Court of Appeal’s judgment. But are the consequences for employers so different? Not so clear. Bear with me while I try to dig myself out of this hole.

To recapitulate, circa 100,000 employees of Morrisons (a UK supermarket chain) suffered a data breach when one of their number, a Mr Skelton, deliberately published data of all. He subsequently was convicted of various data protection and other offences, and is serving an eight-year custodial sentence for his villainy.

Some 5,000-odd employees launched a data protection law "class action" against their employer, pleading that the employer is liable (under the doctrine of "vicarious liability") for (essentially) their distress and damage suffered from Mr Skelton’s criminal actions. They claimed under the old statute (Data Protection Act 1998) and in the new-ish common law tort of "misuse of private information".

At the High Court, in respect of the deliberate criminal acts of Mr Skelton, Morrisons argued that he, not they, was the material data controller. The judge agreed. Thus under the old statutory regime Morrisons escaped liability for the breach.

On the common law tests Morrisons, as you reasonably would expect, argued that Mr Skelton’s criminal actions were not performed "in the course of his employment". Unfortunately for Morrisons, under the common law the judge disagreed and decided the employer indeed was vicariously liable for Mr Skelton’s criminality. However, and extremely unusually, Langstaff J was sufficiently troubled by novelty (Mr Skelton targeted his action against the employer rather than his fellow employees) so as not only to grant permission to appeal the decision, but to do so inside the judgment itself.

Thus it came to the Court of Appeal. I won’t try your patience by traversing the full judgment. For those of the masochistic persuasion there’s an excellent and mercifully short commentary https://panopticonblog.com/2018/10/22/vicarious-liability-for-data-breaches-court-of-appeal-dismisses-morrisons-challenge/ , in which my learned friend Robin Hopkins again sums up his 11KBW colleagues’ well-heeled client’s defeat pretty well.

However, his focus is on disposing of the first two grounds of appeal. I appreciate Robin’s relative disinterest in Morrisons’ third "course of employment"argument from a legal perspective. In hindsight, of course, we can all see it never had many legs anyway. This is the "DNA" of judgements by excellent judges – it’s all so effortlessly logical and deceptively simple and eloquently expressed that we think any fool could have judged the matter correctly.

The downside to such erudite judgments is, of course, how quickly we all forget where we started! I don’t mind admitting I’d been rather gripped by the "course of employment" issue in the context of actions directed against the employer and thought it (primarily due to novelty) the only one with a halfway decent chance of standing up, given the elephant in the room. That is the "Armageddon" to which I now turn.

Actually I confess I was far less interested in the judgment’s legal intricacies per se (for those of the nerdier-than-thou persuasion, the judicial case law bombardment is expressed far better in the judgment itself by the judges themselves than could I) than in its strategic consequences. Why? Because this is a classic "opening the floodgates" public policy case, as everyone appreciated beforehand: see for example 11KBW’s seminar prior to the case, https://www.11kbw.com/knowledge-events/event/various-claimants-v-wm-morrison-ltd-opening-the-data-breach-floodgates

The resounding result, despite novelty, drives home the increasing unavailability of what may be called the "rogue employee" and now "criminal quasi-employee" defences against vicarious liability, even for pre-GDPR common law. (I hardly need note in passing that Morrisons’ statutory defences, while succeeding under DPA 1998, likely would crash and burn horribly under the GDPR for obvious multiple reasons, most poignantly Article 82).

Strategically, albeit from slightly different jurisprudence, ever since Hawley v Luminar English Courts increasingly have sought, and found, circumstance-specific devices (i.e. findings of fact to give them an excuse to depart from the default position in law without opening the floodgates by setting a general precedent) to look through the veil and discover deep-pocket defendants vicariously liable for the actions even of third party contractors (whether criminals or otherwise), so extending the VL doctrine to employees performing criminal acts such as data breaches (whether or not in the course of any employment) is hardly a stretch. (GDPR merely entrenches this dismal outlook from a statutory perspective) The real issue here is, as foreseen, floodgates.

So what does the Court offer us on the floodgates issue? Normally at this level the expected answer would be "nothing". Why? Because public policy nettles, if grasped too early, almost always lead judges into the horrible cul-de-sacs so concisely expressed by the US aphorism "hard cases make bad law". Thus such nettles generally are left to be grasped reluctantly, carefully, and with nerves of steel, by the Supreme Court where the buck stops. Indeed, plausibly pleading floodgates is one of the grounds for appeal specifically available to the Supreme Court to consider when giving permission to hear the case (tough luck on those the Court of Appeal have refused to hear).

This time, however, the Court of Appeal gives us some strong hints, in paras 77-78, as to its views on the floodgates. Robin closes with an partial quote from the same paragraph 78 that I quoted so hideously out of context in the title. But here is that entire unsympathetic paragraph, which for clarity (I’m a simple-minded chap) I break down into its five component sentences:

    1. "There have been many instances reported in the media in recent years of data breaches on a massive scale caused by either corporate system failures or negligence by individuals acting in the course of their employment.
    2. These might, depending on the facts, lead to a large number of claims against the relevant company for potentially ruinous amounts.
    3. The solution is to insure against such catastrophes; and employers can likewise insure against losses caused by dishonest or malicious employees.
    4. We have not been told what the insurance position is in the present case, and of course it cannot affect the result.
    5. The fact of a defendant being insured is not a reason for imposing liability, but the availability of insurance is a valid answer to the Doomsday or Armageddon arguments put forward by Ms Proops on behalf of Morrisons."

Let’s deconstruct this, starting by reading a few tea-leaves.

  • The Court had seen no need to adopt a Hawley v Luminar approach and find circumstance-specific ways to tag Morrisons with the bill, as that was already the default position. On the contrary the Court finds, in effect, that the novel circumstances are nowhere near the point that might justify distinguishing this case from the general common law doctrine of vicarious liability. So this is and (unless overturned, more on that later) remains a general precedent.
  • The judgment was not only unanimous, but a judgment of the Court, apparently not even drafted by a single judge (in which case the usual convention is the others formally state "I agree", or add additional obiter points on matters that exercise them). One of the (possibly inadvertent) side-effects of this approach is to minimise simple opportunities to divine appeal grounds by way of deconstructing differences of views on the appellate bench.
  • The Court was led by Sir Terence Etherington, a very senior judge rejoicing in the title Master of the Rolls (second only to the Lord Chief Justice) and ex officio president of the Court of Appeal. Not too much should be read into this other than, perhaps, the case was thought to engage novel points of law. However I’ve noticed that the MR almost routinely leads data protection appeals, while specialists frequently hear them at High Court level. Park that thought as it’s circumstantial and probably coincidence, and in any event most data protection appeals are fairly novel for one reason or another, if only due to past rarity.
  • The word "insurance", when used by an English court, normally refers to a legal concept that is much wider than the insurance industry. However, and unusually, here the Court appears to refer specifically to the insurance industry.
  • Opinions may differ on the term "availability of insurance" in the final "Armageddon" sentence. Again, generally this is a common legal phrase in judgments and again, it normally embraces a much wider concept than if read literally – which I would not.
  • Some may interpret that sentence as offering a defence – "unavailability of insurance" – against a vicarious liability data breach claim. Again, I would not. Rather, it is submitted the Court is saying "the theoretical availability of insurance is sufficient to rebut any theoretical public policy floodgates argument".
    • Further, the Court clearly states in the immediately antecedent sentence "…the insurance position… of course… cannot affect the result." It’s a fair point as to do otherwise would put the cart firmly before the horse.
  • Some commentators have missed the force of the antecedent paragraph 77, in which the Court directly rebuts the (theoretical) floodgates argument with the (theoretical) counter-argument: "…suppose [Mr Skelton] had misused the data so as to steal a large sum of money from [another employee]. If Morrisons’ arguments are correct, then… such a victim would have no remedy except against Mr Skelton personally". As the equitable maxim goes, "equity will not suffer a wrong to be without a remedy". Repackaged as public policy, it’s so powerful it can create new torts out of nothing; and clearly in this instance the Court thinks the maxim alone is sufficient to reduce the floodgates issue to irrelevance.
  • In using the words "Doomsday" and "Armageddon" in the final sentence, I would not imagine the Court is being critical of Anya Proops QC’s obviously strongly argued case. Rather, it is submitted the Court, rather than ignoring the floodgates as convention would suggest, specifically is acknowledging and drawing attention to the fact that it’s arrived at a settled view on the floodgates issue: "Sure the floodgates are opening. We’re perfectly happy for these floodgates to open, if only because the alternative floodgates are worse. Suck it up."

In an 2017 blog on the case, https://panopticonblog.com/2017/12/06/data-breach-group-actions-criminal-insider/", 11KBW opens with: "A spectre is haunting data controllers – the spectre of group liability for data breach." With this emphatic appellate judgment, that spectre now seems to be morphing into reality. Who ya gonna call? The Supreme Court? Because the Court of Appeal, unusually, just may have snuck in its public policy retaliation first on the entire floodgates issue, giving the law lords (it is submitted) considerably more latitude for framing an unsympathetic public policy outcome, if so minded.

Given the increasing, increasingly reasonable, and apparently increasingly successful resistance of insurers to paying out on such claims (I’ve always considered the most entertaining US data breach cases are the satellite actions brought by those liable for the breach against their insurers who decline to pay up), some employers may consider the Court’s indifference to be either excessively optimistic or (perhaps) excessively ruthless?

Anywhere, there we are. Armageddon announced with insouciance, if not (provably) relish, by the Three Horsemen of the Ap-pellate (sic) court.

    All facts and opinions set out above, including but not limited to spoken content and attachments/links, are provided for informational purposes only as a non-legal service to the public, and do not constitute legal advice or a substitute for legal counsel, and do not create any lawyer-client relationship, nor do they constitute advertising or provision of a legal service, nor are they the opinion of this web site or of its owner. The author is a co-founder of GDPR360 but does not speak in that capacity or in the capacity of a lawyer.