April 1, 2020

Supreme Court: Morrisons successfully appeal vicarious liability for data theft by employee

The Supreme Court has overturned the Court of Appeal decision in WM Morrisons Supermarkets plc v Various Claimants.  In considering the application of the ‘close connection’ limb of the two-stage test for establishing vicarious liability, the Supreme Court held that employers will not be liable for an employee’s wrongful act where that act is not engaged in furthering the employer's business, and is an effort to deliberately harm the employer as part of a vendetta.

The Supreme Court was asked to rule on two issues:

  1. Whether the Data Protection Act 1998 (‘the DPA’) excludes the application of vicarious liability to a breach of that Act, or for misuse of private information or breach of confidence
  2. Whether the Court of Appeal erred in concluding that the disclosure of data by Morrisons' employee occurred in the course of his employment, for which the appellant should be held vicariously liable

Our cyber team have commented on the implications of the Supreme Court commentary regarding the imposition of vicarious liability for a breach of the Data Protection Act, and their insight can be found here.

Our employment team have also discussed what this decision means for employers here

Ultimately, from a casualty perspective, this decision on the second question will have a significant impact on the application of the two-stage test for vicarious liability, specifically the need for a 'sufficient connection between the employee's position and the tort'.

In overturning the decision of the Court of Appeal on the question of vicarious liability, the Supreme Court held that the test of vicarious liability is limited to circumstances where the actions of the employee were carried out in pursuing the business of the employer, and were not in an effort to deliberately harm the employer. These actions, such as those carried out by the tortfeasor in this case, did not occur ‘in the ordinary course of employment’.  Therefore, there was no sufficiently close connection between Mr Skelton's position and the tort, even though his position allowed him the opportunity to commit the wrongful act..

Lord Reed also addressed the judgment of Lord Toulson in Mohamud in which he stated that the tortfeasor's "motive is irrelevant". This would have seemed to contradict the finding of the Court in Morrisons, in requiring the tortfeasor to be furthering the business of the employer when conducting the wrongful act. However, in clarifying, Lord Reed stated at paragraph 30 that Lord Toulson had already confirmed that the tortfeasor in Mohamud  was "going, albeit wrongly, about his employer's business, rather than pursuing his private ends," and that having reached that conclusion, the motive for his loss of control was 'irrelevant'. 

We will consider the further implications of this decision, and that of Barclays Bank, in a further detailed piece on vicarious liability.

Background

During his employment at Morrisons, the tortfeasor, Mr Skelton, downloaded sensitive employee payroll data to his personal computer. He had been granted special access to that data as part of his job role with Morrisons. He later released the information to third parties. This action was motivated by a grudge against Morrisons after being subject to disciplinary procedures.

The employees, whose data was released, brought a claim against Morrisons alleging a breach of the Data Protection Act 1998 (DPA) on the basis that Morrisons were vicariously liable for the actions of Mr Skelton.

Vicarious liability was established at first instance. The High Court found that the circumstances of the case satisfied the two stage test that:

  1. Was the relevant relationship between Mr Skelton and Morrisons one of employment or "akin to employment"? (the Cox test)
  2. Was the tort (misuse of private information) sufficiently closely connected with that employment or quasi employment? (the Mohamud test)

Mr Justice Langstaff found "an unbroken thread that linked his work to the disclosure" and that the Court would not be furthering the employee's criminal objective by attaching vicarious liability; although Morrisons was the intended target, the true victims were the employees who had their data misused.

The Court of Appeal dismissed the appeal, agreeing with Mr Justice Langstaff, albeit recognising that the potential for 'eye-watering' responsibility being placed on employers holding large amounts of personal data. It was felt this could be resolved through the obtaining of suitable insurance.

Initial analysis

The Supreme Court rulings in both WM Morrisons and Barclays Bank will come as a relief to insurers and employers, who have seen their potential liability expand with previous decisions on the issue of vicarious liability. The Supreme Court have provided welcome clarification on the application of both stages of the two-stage vicarious liability test, restraining the expansion of those parties which are considered to be employees or 'quasi-employees', and the range of wrongful actions of employees for which the employers can be held to be vicariously liable.

Our case alert on the Supreme Court decision on vicarious liability in Barclays Bank plc v Various Claimants can be found via the link.