In a landmark judgment, the Supreme Court has unanimously ruled that WM Morrison Supermarkets Plc. was not vicariously liable for a 2014 data breach.
The Supreme Court has allowed an appeal by WM Morrison Supermarkets Plc. (Morrisons) against a Court of Appeal decision that the supermarket was vicariously liable for a deliberate data breach by a disgruntled ex-employee which exposed personal data of almost 100,000 of its employees.
In 2014, Andrew Skelton, an employee of Morrisons, posted personal details of almost 100,000 Morrisons employees on a file-sharing website and later notified the press of the data breach. The personal information published included details of salaries and bank accounts which Mr Skelton had access to as part of an auditing task he was asked to carry out. As soon as Morrisons became aware of the breach it took action to remedy the situation and mitigate financial losses stemming from the data leak. Morrisons were not found liable for any wrongdoing. Mr Skelton was convicted under the Data Protection Act 1998 (DPA) and Fraud Act 2006 and sentenced to eight years in prison.
In the first action of its kind, 5,518 of the employees affected by the breach brought a class action against Morrisons alleging that the supermarket was directly or vicariously liable for the breach of the DPA and / or misuse of private information and / or breach of confidence. The High Court found that Morrisons did not have direct liability under the DPA (or under common law or equity) but were vicariously liable for the data breach. In respect of the first limb (direct liability), the Court held that Mr Skelton acted independently from his employer and in doing so became the data controller who breached the DPA. In respect of establishing vicarious liability, the judge rejected arguments that the DPA excluded vicarious liability from a breach of that Act. The Court rejected further arguments that Mr Skelton was not acting in the course of his employment and held it did not make any difference that the breach occurred away from the workplace during non-working hours. For more information on the vicarious liability element of the Court of Appeal's judgment see Clyde and & Co 1 December 2017 and 1 November 2018 insights.
Supreme Court judgment
The Supreme Court hearing was heard on 6 and 7 November 2019. The issues considered by the Supreme Court were as follows:
Whether the DPA excludes the application of vicarious liability to a breach of that Act, or for misuse of private information or breach of confidence; and
Whether the Court of Appeal erred in concluding that the disclosure of data by the appellant’s employee occurred in the course of his employment, for which the appellant should be held vicariously liable.
In allowing the appeal, the Supreme Court unanimously held:
- The Court of Appeal had misunderstood the principles governing vicariously liability. In considering the application of the ‘close connection’ limb of the two-stage test for establishing vicarious liability, the Supreme Court held that employers will not be liable for an employee’s wrongful act where that act is not engaged in furthering the employer's business, and is an effort to deliberately harm the employer as part of a vendetta. Consequently no vicarious liability arose in this case.
For a further insight into the vicarious liability element of the Supreme Court's judgment, please see the insight of Clyde & Co's casualty team: Supreme Court: Morrisons successfully appeals vicarious liability for data theft by employee.
The argument by Morrisons that the DPA excluded vicariously liability was "unpersuasive". While it was not necessary to express a view on this point in light of the conclusion that the appellant was not vicariously liable for Skelton's actions, the Court held that imposing vicarious statutory liability was "not inconsistent" with the existence of vicarious liability at common law. In particular:
"Imposing statutory liability on a data controller like Skelton is not inconsistent with the co-existence of vicarious liability at common law, whether for breach of the DPA or for a common law or equitable wrong, as the DPA says nothing about a data controller’s employer. It is irrelevant that a data controller’s statutory liability under the DPA is based on a lack of reasonable care, while vicarious liability for an employee’s conduct requires no proof of fault. The same contrast exists at common law between, for example, an employee’s liability in negligence and an employer’s vicarious liability. It makes no difference that an employee’s liability may arise under statute instead [54-55]. The appeal is therefore allowed ."
This case represents the first data class action in the UK of its type and was a much anticipated judgment as it sets a precedent which will shape the future risk profile of cyber policies.
The Supreme Court's findings of fact in relation to Mr Skelton’s role and the reason why Mr Skelton acted wrongfully are of particular relevance. Equally, the Supreme Court has provided much needed clarity on the potential scope of vicarious liability as it may apply to “rogue employees” and “insider threat scenarios” in the context of data breach incidents.
There is a question to be raised as to whether any potential avenues of pursuing vicarious liability claims against employers remain for affected data subjects in future cases. While the affected data subjects may be prevented from pursuing a class action on grounds of vicarious liability in circumstances where the employee was held to be acting outside of the course of employment when the data breach occurred, the Supreme Court has left the door open for class actions to be brought under the DPA in circumstances where an employer is held vicariously liable for a data breach. There are also likely to be other routes for a class action that the cyber insurance market will be exposed to. This Supreme Court decision does however narrow one particular sub-species of potential grounds for data subjects to claim.
Over the next few weeks, we will be considering the implications of this landmark judgment and providing further insights focussing on its impact on the cyber insurance landscape.