Supreme Court decides Morrisons is not vicariously liable for data breach

Supreme Court decides Morrisons is not vicariously liable for data breach deliberately carried out by a rogue employee.

Employers will be relieved by the Supreme Court’s decision that employers should not be liable for the actions of employees acting outside of their normal roles and responsibilities

Background

In 2014 an employee at Morrisons, Andrew Skelton, stole and unlawfully published personal data of 100,000 employees. The data included names, addresses, gender, dates of birth, telephone numbers, bank account details, salary details and national insurance numbers. He uploaded the database to a file-sharing website and then alerted three newspapers to the breach that he had created. Skelton had legitimate access to the information as part of an IT audit task that he was assigned to carry out at the time, but held a grudge against the company due to a previous disciplinary matter.

Class action claim

In the first data breach class action in the UK, 5,518 of the employees brought a claim against Morrisons for the breach. By the time that the claim reached the Supreme Court, the number of claimants had swelled to 9,263.

Initial court decisions

The Court of Appeal had upheld the High Court’s initial decision that although Morrisons was not directly responsible for the breach, it was nonetheless vicariously liable for its employee’s actions. In deciding that Morrisons was vicariously liable for the breach the court found that although Skelton had uploaded the database away from the office and out of work hours, he was trusted with the data and his actions were closely related to his audit task. In their view, it didn’t matter that he had a personal motive to cause the breach – the breach was closely connected to his role.

The Supreme Court decision

Morrisons’ appeal had two limbs to it: 1) whether it was vicariously liable for the individual’s actions, and 2) if so, does the Data Protection Act exclude vicarious liability in these specific circumstances?

1. Vicarious liability

The court considered that the Court of Appeal had misunderstood the ‘close connection’ test for establishing vicarious liability. The court said that it was significant “whether he was acting on his employer’s business or for purely personal reasons.” In other words, was Skelton’s deliberate disclosure of the database so closely connected with his role and authorised acts at Morrisons that the disclosure could fairly be seen as carried out in the ordinary course of his employment. On the facts, the court found that “it is abundantly clear that [Skelton] was not engaged in furthering his employer’s business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings some months earlier.” Morrisons could not be vicariously liable for his actions.

2. Does the Data Protection Act exclude vicarious liability

The court found that as the act does not exclude vicarious liability, expressly or impliedly, it would not be inconsistent to impose statutory liability on an employee whose employer may also be vicariously liable under common law, and vicarious liability is therefore not excluded by the act.

Implications

The outcome should obviously be welcomed by employers as it shows that where they have complied with their duties as a data controller to keep personal data secure and confidential, they will not be liable for the actions of employees acting outside of their normal duties. Nonetheless, the Supreme Court’s decision, in this case, turned on the facts of the breach and the risk of employers being held vicariously liable remains in some circumstances, especially where there has been no clear effort to apply systems and technical solutions to maintain the security of data.

The case also shows the potentially high costs of dealing with the fallout from a data breach. Morrisons is reported to have spent more than £2m dealing with the consequences of this breach, even though they were found to have no direct responsibility for it.

We are seeing more instructions from employers who have suffered deliberate thefts or leaks of data and a clear conclusion from the Morrisons example as well as our own clients is that employers of all sizes need to continually assess their security arrangements and ensure that any risks such as disaffected employees are kept under ongoing review.