STE WILLIAMS

“Cutting to the chase, it’s not a case where the office cleaner finds a thumb drive, picks it up and takes the opportunity to make some use of it,” barrister Jonathan Barnes told the Supreme Court as he urged judges to dismiss Morrisons’ appeal against liability for its 2014 payroll data breach.

As reported yesterday, Morrisons is trying to overturn a Court of Appeal verdict that would see it paying out potentially tens of thousands of pounds in compensation to around 9,000 workers suing it.

The case is deceptively simple: should the supermarket be held vicariously liable for the actions of former auditor Andrew Skelton, who helped himself to nearly 100,000 employees’ payroll data and dumped it online?

“Morrisons [argues that it] is not the data controller,” said Barnes, picking apart one of the supermarket’s legal arguments. Morrisons claims that after Skelton had stolen the payroll, in data protection law Morrisons couldn’t be regarded as being in control of it – and therefore wasn’t liable for his actions.

Barnes continued: “So if we strip out the words ‘data controller’ from Morrisons’ description of itself at paragraph 97 of [its filed] case, we’re left with ‘innocent compliant employer’. But the condition of being an innocent compliant employer certainly does not ordinarily exempt an employer from a finding of vicarious liability.”

In written arguments, the workers say that Skelton didn’t stop being a Morrisons employee (that is, he was doing something the supermarket could have prevented or deterred) even though he was now the data controller of the stolen data. Legally, if the employees are right, this means the supermarket still ought to be held vicariously liable for the theft and dumping online of the staffers’ data.

Skelton was disciplined by Morrisons after a white powder was spilled in the company postroom. Police thought it might be amphetamine, though lab tests eventually showed it was the legal slimming supplement phenylalanine, for which Skelton was running a side business. Nonetheless, he was suspended from work for six weeks and given a verbal warning, causing the auditor to form “an irrational grudge” against the supermarket, as summarised in the employees’ case papers.

In November 2013 Skelton was tasked to help KPMG carry out its annual audit of Morrisons’ accounts. As part of that, the payroll was “uploaded from an encrypted USB onto Mr Skelton’s encrypted work laptop by another Morrisons employee,” as the joint Statement of Facts and Issues recounted. Skelton then sent the data to KPMG.

Five days later, “criminally and without Morrisons’ knowledge”, the auditor copied the payroll onto a personal USB stick. By mid-December the audit was finished – Skelton having retained access to it at work to answer KPMG’s questions – and he “ought to have deleted the payroll data” by that point. In January 2014 he posted it on a file-sharing website using Tor and later alerted three newspapers, who called the police.

Lady Hale, president of the Supreme Court – wearing a purple business jacket rather than the cheery jumper of the previous day – asked Barnes: “Was he entitled to read [the data] and look at it?… it seems to me he was entitled to read and look at it.”

In reply to Barnes’ arguments, Lord Pannick QC, barrister for Morrisons, thundered: “It cannot remain part of the law that the employee can be better off claiming under the common law when the vicarious liability is based on the act of the employer in giving access to the employee to the data, a matter specifically regulated in a statutory scheme… which is designed to a locate responsibility proportionately and fairly and properly as between different data controllers. That’s our case in relation to that matter.”

Many of the arguments were based around analogies and previous cases, with both sides’ barristers citing legal authorities where employers were blamed for their wrongdoings of their employees, ranging from one about a paedophile warden of a children’s home to a Singapore bus conductor who took out a rowdy passenger’s eye with his ticket machine.

Much time was spent debating whether Skelton had metaphorically “taken off his uniform” to go on a “frolic of his own”, outside his employer’s reasonable control.

Lady Hale remarked: “Now we shall go away and try and figure out what the answers are,” as the Supreme Court finished hearing both sides’ arguments yesterday. Judgment is expected in 2020. ®

Sponsored:
How to get more from MicroStrategy by optimising your data stack

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/11/08/morrisons_supreme_court_data_breach_payroll_arguments/