DWF acted for Wm Morrison Supermarkets in their successful defence of a group action for vicarious liability arising out of a mass employee data theft perpetrated by a rogue employee. It is the first mass data breach claim of its kind before the Courts.
The claim for direct fault-based liability was successfully defended at the original trial. Morrisons was found to have met all the relevant statutory data protection standards and did not foresee, nor could they reasonably have foreseen, the covert criminal enterprise their rogue employee had embarked upon.
However, Morrisons was found liable for no-fault vicarious liability as employer. In Morrisons' successful appeal, the Supreme Court has clarified how the law of vicarious liability should be applied and in so doing reversed the High Court and Court of Appeal decisions against Morrisons.
Register for our webinar to understand what this means for your business
Hear from the team who worked on this ground-breaking case as we discuss what the outcome means for businesses. Our employment, data protection and commercial litigation specialists will be answering your questions live.
Tuesday 21 April at 11am
Register for our webinar >
Summary of the case
In November 2013, Morrisons gave one of its senior internal auditors, Andrew Skelton, access to its payroll data for around 126,000 individuals so he could provide it securely to Morrisons' external auditors during the statutory audit process. In March 2014, Morrisons became aware that the payroll data of 100,000 of its current and former employees from that database had been put online and sent to three newspapers under the guise of an anonymous concerned person. Morrisons promptly had the data removed from the websites on which it appeared, informed the ICO, the police and other agencies, and launched its own enquires. Morrisons wrote to all 126,000 individuals and everyone who had been employed since then to inform them whether their personal data was affected, and of ID protection which Morrisons arranged at huge cost to be available to them.
Following a police investigation which identified Skelton as the culprit, Skelton was charged with a number of offences and at his criminal trial was convicted and sentenced to a lengthy prison term of 8 years. The trial established that Skelton, who was skilled in IT, had devised his criminal plan out of a desire to harm Morrisons, against whom he bore an irrational grudge following a minor and unrelated disciplinary incident some months earlier, which resulted in him receiving a verbal warning.
Significantly, having taken an unauthorised copy of the payroll data, Skelton sought to conceal his identity and distance himself from his employer: (i) he effected the online disclosure at home, (ii) he used a 'burner' phone, (iii) he set up an email account with credentials which pointed to a colleague against whom he also bore a grudge for the colleague's role in the earlier disciplinary matter, (iv) he used the 'The Onion Router' web browser to conceal his computer, and (v) he wrote anonymously to the newspapers posing as a concerned individual who had found the data online.
A Group Action was launched against Morrisons for direct liability under the Data Protection Act 1998, the tort of misuse of private information and the equitable remedy of breach of confidence. In the alternative, it was claimed that Morrisons was vicariously liable for the unlawful acts of Skelton. Whilst over 9,000 affected individuals joined the group action, the greater significance lay in the potential for any and all of the 100,000 affected employees to rely on the Court's finding against Morrisons whether they joined the group or not, and seek damages.
The claim if successful would have been hugely costly, and for most lesser companies, bodies, charities and local authorities who employ large numbers, such a claim would be potentially ruinous. Hence the claim was closely watched by industry and insurers alike.
The claims of direct fault-based liability were dismissed at the trial. The ICO, to whom Morrisons had promptly reported the incident, following investigations made no adverse finding against Morrisons.
Take away points from the Supreme Court
- The mere fact that an employee's employment provides the opportunity to commit the wrongful act is not sufficient to warrant the imposition of vicarious liability; and
- regard must be had to whether the employee was engaged, however misguidedly, in furthering his employer’s business, or whether the employee was engaged solely in pursuing his own interests: in the time-honoured phrase, on a ‘frolic of his own’.
The Supreme Court explored these points. Here is a summary of how the conclusions were reached.
1. The field of activities
The Supreme Court held that, contrary to the lower courts, the disclosure did not fall within the field of Skelton's employed activities. It was true that he had been asked to disclose the data to the statutory auditors, but his criminal act of copying the data and disclosing it deliberately to harm Morrisons was not within, or sufficiently closely connected to, his authorised duties.
2. Close connection test
The lower courts relied heavily on Lord Toulson's judgment in one of the leading cases, Mohamud v WM Morrison Supermarkets [2016] (note the irony there). They emphasised the seamless chain of events starting with entrusting the data to Skelton, leading ultimately to his criminal disclosure of it. Lord Toulson had set out how an employer may be vicariously liable for an employee's actions if there is a "seamless and continuous sequence of events … an unbroken chain" between the employee's conduct and their employment.
The Supreme Court found that the lower courts had misunderstood and misapplied Lord Toulsons' judgment. "[A]lthough there was a close temporal link and an unbroken chain of causation linking the provision of the data to Skelton for the purpose of transmitting it to [the external auditors] and his disclosing it on the Internet, a temporal or causal connection does not in itself satisfy the close connection test." The Court distinguished between cases where the employment merely offered the opportunity, and where the wrong itself was perpetrated in the context of the employee doing their job.
3. Motive
The lower courts had rejected Morrisons' argument that it would be perverse for the Courts to visit liability on Morrisons, the intended victim of the crime, so that it could compensate the other collateral victims of Skelton (none of whom had claimed to suffer actual financial loss). The trial judge confessed to being troubled at the prospect of the Court furthering the criminal wrongdoer's goal. However, Lord Toulson had commented in Mohamud that "motive was irrelevant".
The Supreme Court found that Lord Toulsons' judgment had been misapplied: the reason why Skelton "acted wrongfully was not irrelevant: on the contrary, whether he was acting on his employer’s business or for purely personal reasons was highly material" and it was "abundantly clear that Skelton was not engaged in furthering his employer’s business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings some months earlier. In those circumstances […..] Skelton’s wrongful conduct was not so closely connected with acts which he was authorised to do that, for the purposes of Morrisons’ liability to third parties, it can fairly and properly be regarded as done by him while acting in the ordinary course of his employment."
The Supreme Court clarified the principles of vicarious liability within its existing boundaries, and found, entirely contrary to the lower courts, that to impose vicarious liability on Morrisons would constitute "a major change in the law". No doubt welcome relief for data controllers everywhere.
Vicarious Liability within the data protection world
Whilst these issues apply to all vicarious liability cases, it is worth noting that this case revolves around data protection, the duties of a data controller, the rights of data subjects and the liability of an employer data controller for the activities of another data controller who happens to be its employee.
In obiter remarks, the Supreme Court held that the principle of vicarious liability can be applied to claims under the Data Protection Act 1998 (and by extension the GDPR and Data Protection Act 2018).
The DWF team was Andrew Harris (consultant), Michelle Maher (senior associate), Nicole Burton (director) and Elinor Webster (solicitor).
