Morrisons wins landmark ruling on liability for employee data breach
6 Apr 2020
The Supreme Court has handed down a landmark judgment in a case involving a group data breach action against a former internal auditor at Morrisons, which could have seen the supermarket chain facing claims for damages running into thousands of pounds, reports Pat Sweet
6 Apr 2020
The case involved Andrew Skelton, who was on the internal audit team at the supermarket chain [WM Morrison Supermarkets plc v Various Claimants  UKSC 12].
In July 2013, Skelton received a verbal warning after disciplinary proceedings for minor misconduct and bore a grievance against the supermarket chain thereafter. In November 2013, Skelton was tasked with transmitting payroll data for Morrison’s entire workforce to its external auditors, as he had done the previous year.
Skelton did so, but also made and kept a personal copy of the data which he subsequently released on a public website and to three UK newspapers. As a result, he was prosecuted and given an eight-year prison sentence.
Around 9,000 current and former employees then brought proceedings against Morrisons personally and on the basis of its vicarious liability for Skelton’s acts. Their claims were for breach of statutory duty under the Data Protection Act (DPA), misuse of private information, and breach of confidence.
A trial and subsequent Court of Appeal hearing both concluded that Morrisons bore no primary responsibility but was vicariously liable and should pay damages. The supermarket chain then appealed to the Supreme Court.
This has now concluded that the judge and the Court of Appeal misunderstood the principles governing vicarious liability in a number of respects. First, the online disclosure of the data was not part of Skelton’s ‘field of activities’, as it was not an act which he was authorised to do.
Secondly, the Supreme Court dismissed previous legal arguments based on whether his wrongdoing was so closely connected with his employment that vicarious liability ought to be imposed. Thirdly, a temporal or causal connection alone does not satisfy the close connection test.
Finally, the court said it was ‘highly material’ as to whether Skelton was acting on his employer’s business or for purely personal reasons.
Skelton was authorised to transmit the payroll data to the auditors. His wrongful disclosure of the data was not so closely connected with that task that it can fairly and properly be regarded as made by Skelton while acting in the ordinary course of his employment.
On long-established principles, the fact that his employment gave him the opportunity to commit the wrongful act is not sufficient to warrant the imposition of vicarious liability. An employer is not normally vicariously liable where the employee was not engaged in furthering his employer’s business, but rather was pursuing a personal vendetta.
The Supreme Court also allowed Morrison’s appeal on a second point, which was whether the DPA excludes imposition of vicarious liability for either statutory or common law wrongs. It found that imposing statutory liability on a data controller like Skelton is not inconsistent with the co-existence of vicarious liability at common law, whether for breach of the DPA or for a common law or equitable wrong, as the DPA says nothing about a data controller’s employer. It is irrelevant that a data controller’s statutory liability under the DPA is based on a lack of reasonable care, while vicarious liability for an employee’s conduct requires no proof of fault.
Mark Thomas, an employment and information law barrister at 5 Essex Court, said: ‘Morrisons will be breathing an enormous sigh of relief. The Court of Appeal determined that, despite being at no direct fault and acting appropriately at all times, Morrisons was liable for the actions of a rogue employee with a vendetta against the firm. The Supreme Court have reversed that decision, restoring normality to the previously established position on vicarious liability.’
Thomas said Morrisons had been saved by the Supreme Court’s recognition that ‘it is abundantly clear that Skelton was not engaged in furthering his employer’s business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings some months earlier.’
In those circumstances, the court held that ‘Skelton’s wrongful conduct was not so closely connected with acts which he was authorised to do that, for the purposes of Morrisons’ liability to third parties, it can fairly and properly be regarded as done by him while acting in the ordinary course of his employment.’
In a statement on the Supreme Court judgment Morrisons said: ‘The theft of data happened because a single employee with legitimate authority to hold the data, also held a secret and wholly unreasonable grudge against Morrisons and wanted to hurt the company and our colleagues.
‘We are pleased that the Supreme Court has agreed that Morrisons should not be held vicariously liable for his actions when he was acting alone, to his own criminal plan and he’s been found guilty of this crime and spent time in jail.
‘A court has already found that Morrisons was not responsible for any direct wrongdoing in respect of this data theft. We also know that many colleagues appreciated the way we got the data taken down quickly, provided protection for their bank accounts and reassured them that they would not, in any circumstances, be financially disadvantaged. In fact, we’ve seen absolutely no evidence of anyone suffering any direct financial loss.’
Despite the Supreme Court ruling in the Morrisons' case, data breaches are not always clear cut in terms of liability.
Paul Holcroft, associate director of advisory at Croner, said: ‘This long awaited ruling from the Supreme Court seems to provide further clarity on vicarious liability, something that many employers are likely wary of.
‘As seen here, this form of liability should only arise when the act is closely connected to the job of the employee; here, the individual abused his position to conduct criminal acts due to his own personal grudge.
‘However, the fact that this case made it to the Supreme Court demonstrates that this can be an unclear area and will be fact specific. To this end, it is important that companies are prepared to respond quickly to any circumstances when they could face liability for the actions of their staff.’
Report by Pat Sweet, additional reporting Sara White
Original ruling - Legal updates: December 2018 Case: employer liable for data breach by disgruntled employee - article published 3 Dec 2018