WM Morrison Supermarkets PLC v Various Claimants  UKSC 12
Individuals are increasingly aware of the protections that are available for their data following the introduction of the GDPR in May 2018. Many of us have had (and continue to have) training about our responsibilities when dealing with personal data and the rights of data subjects. The media constantly report high profile breaches and increased attention is being paid to what companies do with the personal data they collect. Vicarious liability has been seen to be an area of the law very much on the move - with previous existing boundaries under constant pressure to expand.
During this period the dispute in WM Morrison Supermarkets PLC v Various Claimants has been working its way through the courts. In exploring where liability falls when an employee commits a data breach it sees these two fast moving areas of the law collide. It is therefore unsurprising that the Supreme Court judgment handed down today is a crucial development for those at risk of such a claim and those that insure them.
In overturning the previous findings that Morrisons was liable for the data breach of a disgruntled employee this is a landmark decision in the law of both data protection and vicarious liability. It deals with liability in the first ever data breach group action in the UK and unanimously overturns two previous rulings which were unanimous in their own right.
Mr Skelton, a senior IT internal auditor employed by Morrisons, received a verbal warning following his unauthorised use of Morrisons’ postal facilities for private purposes. Move on a few months and Morrisons’ external auditors requested a copy of its payroll data. Skelton was involved in the required data transfer as this fell within the scope of his responsibilities. Having copied the data onto a USB stick he later posted a file containing the personal details of almost 100,000 Morrisons’ employees on to a file sharing website. Morrisons discovered the breach and swiftly took steps to address it. Despite efforts to cover his tracks Morrisons’ systems enabled Skelton to be identified as the party responsible; he was convicted of criminal offences and sent to prison.
The claimants in this group action (now over 9000 in number) were Morrisons’ employees whose personal details had been revealed by the data breach. They pursued claims against Morrisons for misuse of private information, breach of confidence and breach of the Data Protection Act 1998 (“the DPA”) – this data breach having predated the enactment of the GDPR. They contended that Morrisons was primarily liable in these claims but if not it was vicariously liable for its rogue employee’s actions.
The journey to the Supreme Court
Liability was tried first. To the extent that the claimants argued that Morrisons were directly liable for the data breach they were largely unsuccessful. Liability under the DPA was found to be that of Skelton as an independent data controller; Morrisons was not the data controller at the time of the breach. The direct claims for breach of confidence and misuse of personal information were equally unsuccessful.
The court then considered whether Morrisons were vicariously liable; it rejected Morrisons’ contention that the DPA implicitly excluded the possibility of vicarious liability for a breach of the Act or for claims for misuse of private information or for breach of confidence. With heavy reliance on the approach in Mohamud v WM Morrison Supermarkets PLC  UKSC 11 the court found there was a sufficiently close connection (a crucial element for vicarious liability) between the role in which Skelton was employed and his wrongful conduct such that Morrisons should be held vicariously liable for his wrongdoing. Morrisons appealed the vicarious liability findings.
The Court of Appeal was satisfied that the principle of vicarious liability was not expressly or impliedly excluded by the DPA. That left the primary issue of vicarious liability at common law to be considered again. Regrettably for Morrisons, this did not result in any change of approach. The claimants’ cause of action against Skelton was established when Skelton downloaded the data onto his USB stick at work. Morrisons’ contention that for vicarious liability in these circumstances the employee had to be “on the job” was robustly rejected. The Court of Appeal noted there were many court decisions where vicarious liability had been established in relation to acts committed away from the workplace.
The relevance or otherwise of the wrongdoer’s motive was considered. The Court noted that employers had been held to be vicariously liable in cases where the motive was greed, racism or sexual gratification and saw no reason why motive should be a consideration in determining whether an employer should be held liable for an employee’s actions.
Equally, arguments that imposing liability here would place too great a burden on employers were robustly rejected. The Court of Appeal made it clear that the “…availability of insurance is a valid answer to the Doomsday or Armageddon arguments put forward…” Morrisons again appealed.
The Supreme Court decision
In overturning the judgment below the Supreme Court decision was unanimous. Lord Reed commented that the decision “…provides the court with an opportunity to address the misunderstandings which have arisen since its decision in the case of Mohamud v WM Morrison Supermarkets…”
The Supreme Court considered:
1. Whether Morrisons was vicariously liable for Skelton’s conduct.
2. If so, whether the DPA excluded the imposition of vicarious liability for statutory torts committed by an employee and liability for misuse of private information and breach of confidence.
As to vicarious liability the Supreme Court made it clear that it considered the approach taken by the Court of Appeal would have constituted a major change in the law when that was not the outcome of the approach taken in Mohamud. There the court had summarised the law in the simplest terms, saying that two issues should be considered;
(i) what functions or “field of activities” had been entrusted by the employer to the employee (ie it was necessary to identify the “…acts the…employee was authorised to do…”)
(ii) whether there was a sufficiently close connection between the position in which the individual was employed and the wrongful conduct to make it right for the employer to be held liable under the principle of social justice.
And as for (ii) the Supreme Court in Morrisons said the authoritative statement of the law had been made in Dubai Aluminium  2 AC 366, where the court said that it had to decide whether the wrongful conduct was so closely connected with acts the employee was authorised to do that, for the purposes of the liability of his employer, it might be fairly and properly regarded as done by the employee while acting in the ordinary course of his employment.
In Mohamud the petrol station attendant’s conduct was inexcusable but was within the field of activities assigned to him (attending to customers). In terms of the assault by the attendant that was in issue, the attendant had left the kiosk and followed the customer to his vehicle; what happened thereafter was an unbroken series of events. The court did not regard the attendant as metaphorically having taken off his uniform the moment he stepped from behind the counter. The attendant had, when he opened the claimant’s car door, told the claimant never to come back to the petrol station – this was not something personal but an order to keep away from the employer’s premises. In giving that order the attendant was purporting to act about his employer’s business.
In applying those principles here;
- the disclosure of the data on the internet did not form part of Skelton’s functions or field of activities; it was not an act which he was authorised to do;
- although there was a close temporal link and an unbroken chain of causation linking the provision of the data to Skelton for the purpose of transmitting it to the auditors and his disclosing it on the internet, that did not in itself satisfy the close connection test;
- the reason why Skelton acted wrongfully was not irrelevant: on the contrary, whether he was acting on his employer’s business or for purely personal reasons was highly material.
As a consequence the question whether Morrisons was vicariously liable for Skelton’s actions needed to be considered afresh. Was Skelton’s disclosure of the data so closely connected with acts that he was authorised to do that his wrongful disclosure may fairly and properly be regarded as done by him in the ordinary course of his employment?
Skelton could not have made the disclosure if he had not been given the task of collating and transmitting the data. However, the Supreme Court said that connecting factor was not enough. Previous cases were considered, however there were no previous decisions where the employee had been deliberately trying to harm the employer. That said there had been occasions where the courts had found that where the employee "…was going on a frolic of his own…” the employer would not be liable.
No liability had been found where a policeman had fired shots in a jealous rage on a vendetta of his own – that had nothing to do with police duties (Attorney General of the British Virgin Islands v Hartwell the Pricy Council). This contrasted with Bellman v Northampton Recruitment Ltd where there was a vicarious liability finding (the notorious case where the MD of a company punched an employee at a Christmas party). There the MD was purporting to act as MD and was asserting his authority in front of members of staff over a subordinate employee who had challenged his managerial decision-making.
The Supreme Court concluded “…it is abundantly clear that Skelton was not engaged in furthering his employer’s business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings some months earlier.” In the circumstances Skelton’s conduct was not so closely connected with acts that he was authorised to do that they could fairly be regarded as done by him in the ordinary course of his employment.
Having reached this conclusion the court did not need to consider the argument that the statute implicitly excluded vicariously liability. However, it did so anyway, finding the argument unpersuasive (and holding that the imposition of a statutory liability was not inconsistent with the imposition of vicarious liability at common law).
What this means for you
The judgment is a welcome surprise for defendants and their insurers. The previous decisions in this case were potentially ruinous for businesses that have been exposed to liability as the result of the actions of a rogue employee out to damage them. They will be now breathing a sigh of relief as a result of what appears to be a sensible and measured approach taken by the Supreme Court in noting that the Morrisons employee responsible for this disclosure was not acting in furtherance of his employer’s business and was not authorised to disclose personal data online - and hence doing so was not sufficiently closely linked to his employment.
The court seems to have felt that the lower courts got themselves tied up in knots when the position was in fact quite simple – Skelton was on a frolic of his own when he disclosed the data and Morrisons should therefore not be liable for his actions.
The wider question is how useful this will be in other cases. In practical terms there may be relatively few cases where it can be said that the employee’s conduct was such that he was off on a frolic of his own and there are still many more situations where the close connection test will work in favour of the claimant. It’s a positive step for defendants but a small one.
There also remains the issue of damages. Had the Supreme Court gone the other way, the eventual damages trial would have been very helpful in drawing a useful line in the sand for quantum in claims of this nature – for now, at least, that will remain an issue for further argument and potentially significant legal costs for both sides involved in litigation of this type.
That said the appeal in the equally-significant case of Lloyd v Google (which confirms that, subject to a de minimis threshold, civil data breach claims can be pursued without either actual financial loss or evidence of distress) has not yet been heard; it may be equally as important as Morrisons but for different reasons. The Court may take steps, as they appear to have done in this case, to try and close the floodgates of data breach litigation within the UK; that very much remains to be seen.
The Supreme Court handed down judgment on another landmark vicarious liability case this week - Barclays Bank plc v Various Claimants. BLM's newsflash on this decision can be seen here.