Over the last few months, our WorkLife blog has, not surprisingly, been dominated by coronavirus-related news and more recently redundancy reminders. However, in some areas, normal life has continued as well. So in a break from coronavirus, we wanted to report on some good news for employers in the form of the Supreme Court’s decision in WM Morrisons Supermarkets plc v Various Claimants.
Towards the end of 2018, the Court of Appeal found in favour of the claimants in this case, and held that employers could be vicariously liable for a rogue employee’s data breach, even if they had done as much as they reasonably could to avoid any such breach. This was worrying news for employers since it had the potential to leave them exposed to a large number of costly claims in the event of data breaches.
The Supreme Court has now overturned the Court of Appeal’s decision, and found that Morrisons was not vicariously liable for its employee’s deliberate data breach.
The full facts of this case can be found in our earlier blog on the case, however in brief:
- Andrew Skelton, was a senior IT auditor at Morrisons who reportedly held a grudge against the company. As a result, and in a move deliberately aimed at causing damage to Morrisons, he posted personal payroll data of nearly 100,000 employees online. This was done outside of work premises and working hours.
- Morrisons took appropriate steps to rectify the breach as soon as it learnt of it and there was no evidence that anyone suffered financial loss. However, just over 9,000 employees brought a data breach class action claim (ie where a group of individuals bring a claim together) against Morrisons for distress and anxiety.
- The High Court and subsequently the Court of Appeal found that Morrisons was vicariously liable for Mr Skelton’s misuse of the data, despite having done as much as it reasonably could to avoid such a breach. The Court of Appeal held that Mr Skelton’s motive was irrelevant, even where the motive was to cause financial and reputational damage to Morrisons.
- Morrisons appealed to the Supreme Court.
The Supreme Court’s recent decision
- The Supreme Court unanimously overturned the Court of Appeal’s decision and found that Morrisons was not vicariously liable for Mr Skelton’s data breach. They said that the Court of Appeal had “misunderstood the principles governing vicarious liability”.
- The Supreme Court confirmed that the correct test to be applied in deciding whether an employer is vicariously liable is whether there was a sufficiently close connection between the work the employee was authorised to do and the wrongdoing carried out, so that the wrongdoing could fairly be regarded as done by the employee while acting in the ordinary course of employment. In determining this, there are two questions which need to be asked:
1. What functions or “field of activities” had been entrusted by the employer to the employee?
2. Was there “sufficient connection between the position in which [the employee] was employed and his wrongful conduct to be make it right for the employer to be held liable”?
- In this case, the Supreme Court did not consider that Mr Skelton’s act of publishing the payroll data online fell within the “field of activities” he was authorised by Morrisons to do. The fact that there was a close temporal link and an unbroken chain of causation between Morrisons supplying the data and Mr Skelton disclosing it, did not in itself satisfy the close connection test. Contradicting the Court of Appeal, the Supreme Court held that Mr Skelton’s motive, namely to cause harm to Morrisons, was “highly relevant” in determining liability; it went to whether he was acting on Morrison’s business or purely for personal reasons.
- As a result, there was not a sufficiently close connection between what Mr Skelton was authorised to do and his disclosure. The fact that his employment at Morrisons gave him the opportunity to commit the wrongful act was not sufficient to impose vicarious liability on Morrisons.
What this means going forward
This decision will be welcomed by employers, since it is likely to reduce the risk of liability in data breach class actions where a rogue employee is pursuing a personal vendetta, or where there is no specific evidence of individual damage. The Supreme Court was clear that an employee’s motivation behind a data breach is a key factor in determining an employer’s vicarious liability.
However, employers should not take this decision to mean that vicarious liability cannot ever arise where an employee commits a data breach. The Supreme Court confirmed that there is nothing in the Data Protection Act 1998 which excludes this possibility, and instead each case will turn on its facts. The door is therefore not closed on class actions for data breaches. Employers should continue to ensure that they have robust data processes and controls in place, including restrictions on who has access to personal data, to reduce the risk of data breaches occurring in the first place and limit the impact should one happen.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, August 2020