Morrisons data breach litigation: the limits of vicarious liability

The Supreme Court has upheld Morrisons’ appeal against a data breach incident that affected approximately 100,000 of its own employees, WM Morrison Supermarkets plc v Various Claimants [2020] UKSC 12. The decision is an important restatement of the principles governing vicarious liability in the employment context. The case illustrates also the serious repercussions for the victims and the perpetrators of data breaches. 

Background

Andrew Skelton, employed on Morrisons’ internal audit team, harboured a grudge against said employer for imposing a low-level disciplinary sanction for using work facilities in the running of his own mail-order business. In November 2013, Mr Skelton was tasked with transmitting payroll data for Morrisons’ workforce, which consisted of a large amount of personal information, to its external auditors. An authorised transfer of the data was made to Mr Skelton’s laptop for onward transmission to the auditors.

Soon after, Mr Skelton copied the data from his laptop and uploaded it to a publicly accessible filesharing website. He then forwarded it to several newspapers, although publication was avoided. Mr Skelton used a burner phone and The Onion Router to anonymise his actions on the internet, but did not escape detection. The data could have been misused for identity theft and other types of fraud: names, addresses, gender, dates of birth, phone numbers, national insurance numbers, bank sort codes, bank account numbers, and the salary of each employee.

He was arrested, prosecuted under the Computer Misuse Act 1990, for fraud and for an offence under section 55 of the Data Protection Act 1998 (the DPA98) receiving a total sentence of 8 years’ imprisonment. 

The direct claims against Morrisons

Direct claims were brought by over 9,000 affected employees for breach of statutory duty under the DPA98, for misuse of private information and breach of confidence but were dismissed following a trial at the High Court.

In relation to the DPA98 claim, Morrisons was able to show at trial that it had taken appropriate technical and organisational measures to maintain security over the data it held. Liability under the DPA98 is not strict, and the level of security in place is assessed in light of the risks represented by the nature of the data to be protected, the processing taking place as well as the state of technological development and the cost of implementing measures.

With regard to the misuse of private information claim, Morrisons itself did not misuse the private information or permit it. In relation to the breach of confidence claim, it was not in dispute that confidential information was entrusted to Morrisons and it was disclosed. However, the disclosure was not by Morrisons, either directly or by an agent.

Vicarious liability

The focus of the appeal to the Supreme Court was the vicarious liability claim which succeeded before the High Court[1] and was upheld by Court of Appeal[2]. The Supreme Court ruled that the courts below had erred in their interpretation of its recent decision in Mahamud v Wm Morrison Supermarkets Plc [2016] UKSC 11. Particular emphasis had been placed on the close connection between the employee’s conduct and his employment role, as well as the unbroken temporal and causal chain of events. The employee’s motive to harm his employer had been held to be irrelevant.

The Supreme Court considered the issue of vicarious liability afresh applying the general test: see Lister v Hesley Hall Ltd [2002] 1 AC 215, 245 at paragraph 69 and Dubai Aluminium Co Ltd v Salaam [2003] 2 AC 366 at paragraph 23. Was Mr Skelton’s disclosure of data so closely connected with the acts he was authorised to do that, for the purposes of the liability of his employer to third parties, his wrongful disclosure may fairly and properly be regarded as done by him while acting in the ordinary course of his employment?

Mr Skelton had been authorised to transmit the payroll data to the auditors, but the Supreme Court held that his subsequent wrongful disclosure was not so closely connected with that task that it could fairly and properly be regarded as made while acting in the ordinary course of his employment. The fact that his employment gave Mr Skelton the opportunity to commit the wrongful act and that there was a close temporal and causal link between receiving the data for the auditors and the illegal internet disclosure were insufficient to meet the close connection test. The disclosure of the data did not form part of the employee’s functions or field of activities. Moreover, the employee’s motive was relevant. An employer is not normally vicariously liable where the employee was not engaged in furthering his employer’s business – in this case the pursuit of a grudge.

The Supreme Court cited Lord Nicholls in Dubai Aluminium [2003] 2 AC 366 at paragraph 32 in which he distinguished, “cases…where the employee was engaged, however misguidedly, in furthering his employer’s business, and cases where the employee is engaged solely in pursuing his own interests: on a ‘frolic of his own’, in the language of the time-honoured catch phrase.”

On the particular facts of the case, therefore, the close connection test was not satisfied.

Vicarious liability in the context of data breach claims

In oral submissions before the Supreme Court, Morrisons’ primary position in response to the vicarious liability claim was based on a point of statutory interpretation. It was argued that, because section 13 of the DPA98 imposed liability on data controllers only where they acted without reasonable care, the statute was inconsistent with the imposition of strict liability under a vicarious liability claim.

The Supreme Court rejected this argument, stating that there was “nothing anomalous about the contrast between the fault-based liability of the primary tortfeasor under the DPA [98] and the strict vicarious liability of his employer”, paragraph 54. The Supreme Court therefore confirmed that employers may be held vicariously liable for the acts of their employees in breach of the DPA98, superseded by the Data Protection Act 2018, as implemented by the General Data Protection Regulation, (EU) 2016/6679.

Conclusion

The Morrisons case reaffirms the limits of vicarious liability in circumstances where a rogue employee acts against the interests of their employer. However, it is all too common for data breach cases to occur because of systemic failures by businesses to safeguard the personal information over which they have control, not because an employee has embarked on a frolic of their own.

Given our experience acting in the cybersecurity and privacy sector, Hausfeld is well-equipped to advise businesses affected by these events. 

[1] Various Claimants v WM Morrisons Supermarket Plc, [2017] EWHC 3113 (QB), [2018] 3 W.L.R. 691

[2] WM Morrisons Supermarkets Plc v Various Claimants, [2018] EWCA Civ 2339, [2019] Q.B. 772