Employment Law Cases

Employer not liable for employee's data breach

WM Morrisons Supermarket plc v Various Claimants

An employer was not vicariously liable for the actions of one of its employees who, to damage his employer, leaked personal staff data on a file-sharing website.

Background

In 2014, Mr Skelton, an internal auditor at Morrisons with a grudge against the supermarket (stemming from a previous disciplinary issue), leaked employee information online and to various media outlets. This involved the payroll data of about 100,000 employees and comprised highly sensitive information such as the employees’ bank sort codes, account numbers and NIC details. He had copied the information onto a USB stick. He was arrested and subsequently convicted and sentenced to eight years for offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (DPA). Thousands of affected staff brought proceedings against Morrisons based on its alleged vicarious liability for Mr Skelton’s actions.

The High Court and Court of Appeal, relying on a 2016 Supreme Court decision Mohamud v WM Morrison Supermarkets, held that Mr Skelton had been acting in the course of his employment because his role at Morrisons was sufficiently closely connected to his unlawful acts to make Morrisons vicariously liable for them. Morrisons appealed.

Supreme Court decision

The Supreme Court unanimously allowed Morrison’s appeal

Essentially the Supreme Court said that the lower court decisions in this case involved a misreading/misinterpretation of its 2016 decision in Mohamud also concerning vicarious liability.

The ‘close connection’ test is this – if the wrongful conduct was so closely connected with acts the employee was authorised to do that for the purposes of the liability of the employer to third parties, it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment.

The Court of Appeal was wrong to believe that all that was involved in determining an employer’s vicarious liability was whether there was a ‘temporal or causal connection’ between the employment and the wrongdoing. It is not temporal or causal connection between the various events, but towards the capacity in which the employee was acting when those events took place.

Also ‘motive is irrelevant’ must not be taken out of context. Whether the employee is acting on the employer’s business or for personal reasons is indeed important for the purpose of establishing vicarious liability.

Mr Skelton was authorised to transmit the payroll data to the auditors. His wrongful disclosure of the data was not so closely connected with that task that it can fairly and properly be regarded as made by him while acting in the ordinary course of his employment. Mr Skelton’s motive was crucial in establishing liability - that his employment gave him the opportunity to carry out his rogue act was not in itself enough to establish vicarious liability. An employer is not normally vicariously liable where the employee was not engaged in furthering his employer’s business, but rather was pursuing a personal vendetta. It is not enough to establish vicarious liability that the employee's act arose from a task ‘closely related to what he was tasked to do’. There is vicarious liability where ‘the employee is engaged, however misguidedly, in furthering his employer’s business’. There is no vicarious liability where an employee is ‘on a frolic of his own’.

Link to judgment: https://www.bailii.org/uk/cases/UKSC/2020/12.html

Comment

Common sense has been restored in this case. The lower courts appeared to have made a decision based on social justice rather than in accordance with the case law and took the view that big employers could insure. A sizable proportion of data breaches are caused by malicious actions by employees or ex-employees. So, this is a comforting decision for employers.

Moreover, in a judgment delivered on the same day in a different case, Barclays Bank v Various Claimants, the Supreme Court also held that an employer generally cannot be vicariously liable for the actions of an independent contractor – in this case a doctor contracted to carry out medical examinations who sexually assaulted Barclays’ employees.