The Supreme Court has allowed an appeal by Morrisons Supermarkets plc, one of the United Kingdom's major supermarket chains, overturning a finding that it was vicariously liable for a rogue employee's deliberate disclosure of payroll data relating to some 100,000 co-workers, of whom 10,000 brought a group claim for damages.(1)
The common law principle of vicarious liability makes employers indirectly liable for wrongful acts committed by their employees in the course of their employment. In recent years, case law has established a two-stage test for vicarious liability:
- Did the employee's actions fall within the 'field of activities' entrusted to them by their employer?
- Was there sufficient connection between the position in which the individual was employed and their wrongful conduct to make it right for the employer to be held liable under the principle of social justice?
In the controversial case reported below, these principles fell to be applied in relation to a significant data breach committed by an employee which triggered a group action for damages against the company by thousands of his co-workers.
Mr Skelton was employed by Morrisons as an internal IT auditor. In 2013, after receiving a formal warning following a disciplinary hearing, he developed a grudge against his employer. He copied the payroll data of a large number of employees onto a USB stick and took it home. A few weeks later, just before Morrisons' annual financial reports were announced, Skelton uploaded the file containing the data onto a file-sharing website and sent it to three newspapers. He had sought to frame a colleague in an attempt to conceal his actions. Following an investigation, Skelton was arrested, charged and convicted of criminal offences.
Many current and former co-workers whose data had been disclosed then brought a claim in the High Court against Morrisons for misuse of private information and breach of confidence, and for breach of its statutory duty under the Data Protection Act 1998. The claimants – initially approximately 5,000 but the cohort increased as the case progressed through the appellate courts – argued that Morrisons was either primarily (ie, directly) liable or vicariously (ie, indirectly) liable for Skelton's actions.
The High Court found that Morrisons had not directly misused or permitted the misuse of any personal information and therefore bore no primary liability. However, on the issue of vicarious liability the High Court concluded that there was a sufficient connection between the position in which Skelton was employed and his wrongful conduct to justify holding Morrisons vicariously liable. The High Court rejected Morrisons' argument that the Data Protection Act excluded the possibility of vicarious liability.
The Court of Appeal dismissed Morrisons' appeal, ruling that the High Court had been correct to hold that the Data Protection Act did not expressly or impliedly exclude the possibility of vicarious liability. As to whether such liability arose on the facts of this case, the Court of Appeal stated that Skelton had been deliberately entrusted with the payroll data, and his wrongful acts in sending it to third parties were within the field of activities assigned to him.
The novel feature of this case, the Court of Appeal noted, was that the wrongdoer's motive was to harm his employer rather than to benefit himself or inflict injury on a third party. However, the Court of Appeal concluded that motive was irrelevant in these circumstances. It suggested that, if a finding of vicarious liability lead to multiple claims against the employer for potentially ruinous amounts, the solution was for the employer to insure against such an eventuality. Morrisons appealed to the Supreme Court.
The Supreme Court reviewed the previous case law on vicarious liability and made several observations, including as follows:
- It was well established that there was a close connection test for vicarious liability: was the wrongful conduct so closely connected with acts that the employee was authorised to do that it might fairly and properly be regarded as done by the employee in the ordinary course of their employment?
- In applying this overall test, the first question was what functions or field of activities the employer had entrusted to the employee.
- Next, the court must decide whether there was sufficient connection between the position in which the employee was employed and their wrongful conduct to make it right for the employer to be held liable under the principle of social justice.
- The statement in one of the previous Supreme Court judgments on vicarious liability that "motive is irrelevant" would be misleading if read in isolation and should not be taken out of the context of that particular case (Mohamud v WM Morrison Supermarkets plc ([2016] UKSC 11)).
In the present case, the Supreme Court concluded that the High Court and the Court of Appeal had misunderstood the principles governing vicarious liability in various ways. Looking at the question afresh, the Supreme Court stated that it was clear that no vicarious liability arose for the following main reasons:
- Skelton was authorised to transmit the payroll data to the auditors and his wrongful online disclosure of the data was not part of his field of activities. It was not so closely connected with the authorised tasks that it could fairly and properly be regarded as made while acting in the ordinary course of his employment;
- a temporal or causal connection was not enough to satisfy the close connection test and it was highly material whether Skelton was acting on Morrisons' business or for purely personal reasons; and
- the fact that Skelton's employment gave him the opportunity to commit the wrongful act was not sufficient to impose vicarious liability on Morrisons. It was abundantly clear that he was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings against him, rather than engaged in furthering his employer's business.
Finally, the Supreme Court dealt with the issue of whether the Data Protection Act excluded imposing vicarious liability for either statutory or common law wrongs (even though this was not necessary in light of the conclusion that Morrisons was not liable on the facts). Agreeing with the High Court and the Court of Appeal on this point, the Supreme Court stated that there was nothing to prevent the imposition of vicarious liability in circumstances such as in this case.
The Supreme Court's judgment provides a welcome clarification and corrective of the test for vicarious liability. Broadly speaking, for an employer to be vicariously liable, there must be a sufficient connection between the position in which the employee was employed and their wrongful conduct. On the facts of this case, the Supreme Court decided that Skelton's unlawful act was not part of his field of activities in that it was not an act that he was authorised to do. It was highly relevant that he was essentially pursuing a personal vendetta, as opposed to furthering Morrisons' business, when he committed the unlawful act.
This is, on the whole, welcome news for UK businesses following understandable concerns about the enormous burden a finding of vicarious liability might place on innocent employers. The Court of Appeal had characterised such worries as "Doomsday or Armageddon arguments", stating that the answer was to be properly insured.
Nonetheless, this case is far from being the final word on data protection group claims, whether involving vicarious liability or more generally. While on the particular facts of this case the claim for vicarious liability failed, on a slightly different set of facts the outcome could have differed – vicarious liability claims are notoriously fact sensitive. That being so, in many ways this decision in fact paves the way for vicarious liability claims to be brought against employers in the future following a data breach.
In any event, many data protection group claims are not concerned with vicarious liability at all. Instead, they focus on an organisation's direct liability for alleged breaches. Direct liability was not an issue in the Morrisons case given the technical and administrative controls that the supermarket had in place. These led to the High Court's finding that Morrisons had "adequate and appropriate controls" in relation to most of the matters where it was alleged that it fell short of its security obligations under data protection law. Many organisations are unlikely to be in the same position when faced with the insider threat of a disgruntled employee. Their controls may not be appropriate to the risk, such that they could be found directly liable for a security failure caused by a rogue individual.
Endnotes
(1) WM Morrison Supermarkets plc v Various claimants – judgment available here.
