21 May 2020 - Post by:Poppy Kevelighan
Away from Covid-19-related workplace issues, there has been some good news for employers in the Supreme Court’s recent decision in WM Morrison Supermarkets plc (Morrisons). In a data protection case, the court reversed the decisions of the lower courts, holding that Morrisons was not vicariously liable for a data breach perpetrated by a disgruntled employee. This is a welcome result for employers as it was made clear that an employer will not be liable when employees act solely to further their own agenda, rather than the interests of their employer, even if there is a connection to their employment.
In July 2013, Mr Skelton, an employee of Morrisons, was given a verbal warning for minor misconduct and developed a grudge against his employer. Later that year, Skelton was made responsible for sending payroll data for Morrisons’ workforce to its external auditor. Skelton did this, but he also made a copy of the data for his own personal use. In 2014, on the day Morrisons’ financial results were due to be announced, Skelton sent the data anonymously to three UK newspapers, purporting to be a concerned member of the public who had found the information online. Skelton went to great lengths to avoid detection when undertaking these actions, including disguising the identity of his computer as it connected to the internet and using a ‘burner phone’ and false email address in an attempt to frame a colleague for this data leak. The newspapers did not publish the information, and one alerted Morrisons, which acted immediately to remedy the breach. Skelton was subsequently arrested, prosecuted and imprisoned.
Data Protection Claims
Separately, affected employees brought proceedings against Morrisons on the basis of misuse of private information. It was alleged that Morrisons was both directly liable for the data breaches, and vicariously liable for Skelton’s acts. If the claims were successful, Morrisons would be exposed to damages claims from all of the approximately 100,000 individuals whose data had been disclosed.
What is Vicarious Liability?
An employer will be liable for the act of an employee if there is sufficient connection between the employee’s act and his employment such that it would be fair to hold the employer liable for that act (in addition to any personal liability of the employee). Vicarious liability is a form of “no-fault” or “strict” liability: the employer may still be held liable, even where it has committed no wrongdoing.
The legal test for vicarious liability is as follows:
- There must be a relationship that gives rise to vicarious liability (for example, employer and employee); and
- the act must be so closely connected with the employment that it would be just and reasonable to hold the employer liable.
Decisions of the High Court and the Court of Appeal
Direct liability was rejected by the High Court as Morrisons had neither caused nor contributed to Skelton’s data breach. However, the employees succeeded on the basis of vicarious liability because there was “sufficient connection between the position in which Skelton was employed and his wrongful conduct” (limb 2 above). Morrison appealed to the Court of Appeal but essentially it came to the same decision.
With so much at stake for Morrisons, the litigation journey continued to the Supreme Court, the highest court in England and Wales. The decision was reversed because the court found that Morrisons should not be held vicariously liable for Skelton’s acts as they were not sufficiently closely connected to his employment. Crucially, the court recognised that whilst Skelton was authorised to share the data with Morrisons’ external auditor, he was not authorised to share it with three newspapers and the act of doing so was not closely connected with his employment. The disclosure was made for purely personal reasons (a grudge against his employer) rather than to further the business of the employer. Importantly, the court held that the fact the employee had access to the data as a result of his job (and therefore his employment gave him the “opportunity to commit the wrongful act”) was not sufficient to make the employer vicariously liable.
The court reiterated that it is a long-established principle that an employer is not liable for the acts of an employee where the employee is acting to further his own personal agenda as opposed to that of the company.
Take-away for Employers
This judgment will no doubt be a relief for employers. It confirms that vicarious liability is unlikely to apply where an employee commits an act in furtherance of a personal vendetta. The difficulty is that it is not always easy to pin down the motive behind misconduct as this involves looking into the mind of an individual. There may be mixed motives or the evidence may not be convincing either way. Helpfully, in this fact matrix the steps taken by Skelton to cover his tracks and blame others was a clear indicator of his motives. In cases where the interests of the employee and the employer are less clearly at odds, the risk of vicarious liability will be significantly increased.
This case should also serve as a useful reminder for Data Protection Officers of the importance of acting quickly and effectively to remedy data breaches. Morrisons acted immediately to remove the leaked data from the internet and report the matter to the police, and it is estimated that they spent £2.26m dealing with the consequences of Skelton’s actions. The swiftness and scale of Morrisons’ actions were noted by the courts, and undoubtedly contributed to the finding that there was no direct liability.
For employers, therefore, the message is that returning to basics pays dividends. Remember:
- Data security is absolutely paramount.
- Have a proper crisis plan coupled with remediation.
- Don’t hesitate – it is essential to have immediate engagement with the ICO and affected individuals.