Employer held liable for employee’s data breach, even though his objective was to damage them
On 22 October 2018, the Court of Appeal dismissed the supermarket chain’s appeal in the case of Various Claimants v WM Morrison Supermarkets PLC  EWCA Civ 2339, where Morrisons had been held vicariously liable at first instance for a mass data breach caused by the criminal act of a rogue employee (see our blog about that decision here).
At first instance, Mr Justice Langstaff said he was "troubled" by one of the arguments advanced by Morrisons, namely that as the motivation of the employee in committing the criminal act was to cause damage to his employer, by imposing vicarious liability on Morrisons it could effectively render the court an accessory in furthering the employee’s criminal aims. As a result, and somewhat unusually, of its own motion the court granted permission to appeal on the finding of vicariously liability.
The data breach
In January 2014, Andrew Skelton, who at the time was employed by Morrisons as a senior IT auditor, secretly copied the personal data (including names, dates of birth, addresses, bank account details and salaries) of 99,998 Morrisons’ employees on to a USB stick. In March 2014, he posted the data on a file-sharing website and tipped off local newspapers about the data breach. Although he had tried to conceal his identity he was subsequently arrested and prosecuted for fraud by abuse of position (contrary to section 4 Fraud Act 2006), unauthorised access to computer material with intent to commit or facilitate further offences (contrary to section 2 Computer Misuse Act 1990), and the unlawful obtaining of personal data (contrary to section 55 Data Protection Act 1998). He was convicted and sentenced to eight years' imprisonment. During the course of his criminal trial, it transpired that Mr Skelton bore a grudge against Morrisons stemming from a previous disciplinary process to which he had been subject earlier in 2013. His actions in leaking the employee data were therefore an act of retribution designed to cause damage to Morrisons.
Grounds of appeal
Morrisons appealed on three grounds arguing: (1) the Data Protection Act 1998 (DPA) excludes vicarious liability; (2) the DPA excludes causes of action for misuse of private information and breach of confidence and/or the imposition of vicarious liability for the same; and (3) the wrongful acts of Mr Skelton did not occur during the course of his employment and therefore Morrisons could not be held vicariously liable for them.
The Court of Appeal dismissed the first two grounds of appeal fairly swiftly, concluding (at paragraph 60): “the concession [by Morrisons] that the causes of action for misuse of private information and breach of confidentiality are not excluded by the DPA in respect of the wrongful processing of data within the ambit of the DPA, and the complete absence of any provision of the DPA addressing the situation of an employer where an employee data controller breaches the requirements of the DPA, lead inevitably to the conclusion that the Judge was correct to hold that the common law remedy of vicarious liability of the employer in such circumstances (if the common law requirements are otherwise satisfied) was not expressly or impliedly excluded by the DPA”.
The ‘course of employment’ test
The findings in respect of the third ground of appeal, whether the wrongful acts occurred during the course of employment, will be of particular interest to practitioners. In order to determine this question, the court had to consider two matters:-
(1) what functions or “field of activities” have been entrusted by the employer to the employee (in everyday language, what was the nature of his job), and
(2) was there a “sufficient connection” between the position in which he was employed and his wrongful conduct to make it right for the employer to be held liable under the principles of social justice.
In respect of the first question, it was held that Morrisons had entrusted Mr Skelton with the payroll data as part of his job and that: “in his role with Morrisons, day in and day out, he was in receipt of information which was confidential or to have limited circulation only: and he was appointed on the basis that this would happen, and he could be trusted to deal with it safely. Morrisons took the risk they might be wrong in placing trust in him”. This wording is sure to be oft-relied upon by Claimant lawyers seeking to establish vicarious liability against employers in claims for breach of confidence and misuse of private information.
In respect of the second question, Morrisons submitted that the “sufficient connection” test was not satisfied because the tortious act was not committed by Mr Skelton at work. He had committed the act at home, on a Sunday, using his own computer and his personal USB stick. Morrisons placed great reliance on the concept that an employer should only be liable if the employee was “on the job” when the tort occurred. The Court of Appeal dismissed this argument. It held that although the place where the act occurred will be relevant, of course, it is certainly not conclusive (and there have been several cases in which employers have been held vicariously liable for torts committed away from the workplace). The real question was whether there was “an unbroken chain” that linked the nature of the employee’s work with the ultimate disclosure of the personal data, and the Court of Appeal held that there was, upholding the findings made at first instance.
The law of vicarious liability has developed considerably in recent years and in a manner which has been widely perceived to favour claimants. It is trite law that an employer can be held vicariously liable for deliberate wrongdoing by an employee. It is also now well-established that the motive of the employee is irrelevant; see Mohamud v WM Morrison Supermarkets PLC  UKSC 11 which is another leading case on vicarious liability, in which Morrisons were held to be vicariously liable for a violent assault carried out on a customer by one of its employees (it is fair to say that Morrisons has had a bad run of late with its employees). In the present case, Morrisons invited the court to create an exception to the rule that motive is irrelevant in circumstances where the employee’s motive is to cause financial or reputational damage to the employer itself. The Court of Appeal declined to do so.
This leaves Morrisons in an invidious position. Not only have they suffered a huge data breach as a result of a rogue employee who committed a criminal act, they now must foot the bill (which could be very substantial, damages are to be assessed separately) arising out of that breach. To some observers, it may seem perverse that an employer should be found liable to pay compensation arising out of acts committed by an employee who was actively seeking to cause damage to the employer itself. The Court of Appeal identified that the remedy for employers in such circumstances is insurance. Employers should protect their position by taking out insurance policies which protect them against losses caused by dishonest or malicious employees.
This is a judgment that claimant lawyers will draw further comfort from. It confirms that an employer can be held vicariously liable for a deliberate wrongful act carried out by an employee, even if that act takes place in their own home, provided that a sufficient connection can be established between the nature of his job and the wrongful conduct complained of, and even in circumstances where the employee is motivated by a desire to damage the employer.
Click here to find out how Brett Wilson LLP’s privacy lawyers can assist you if you have been the victim of a data leak, or if you think your personal or confidential information has been misused
Articles are intended as an introduction to the topic and do not constitute legal advice.