Supreme Court: Morrisons not liable for data breach of rogue employee
The Supreme Court has ruled that Morrisons were not vicariously liable for a mass data breach by a disgruntled employee. The Court overturned the Court of Appeal and High Court rulings, which found against Morrisons.
Mr Skelton uploads employee information to internet as act of revenge
A detailed summary of the facts is in our article on the Court of Appeal’s decision
Briefly, Mr Skelton, an internal senior auditor, had been given a verbal warning for minor misconduct. He then, as an act of revenge, copied personal data on almost 100,000 Morrisons' employees and uploaded them onto a file-sharing website. He also sent them to three newspapers.
Once Morrisons were alerted to the breach, they removed the data, informed the police and alerted their employees. They spent more than £2.26m in dealing with the immediate aftermath of the disclosure. A large element of that sum was spent on identity protection measures for their employees.
Mr Skelton was subsequently sentenced to eight years in prison for fraud (he had used a colleague’s details to set up a fake email account in an attempt to frame him).
Employees claim against Morrisons for data breach
Over 9,000 Morrisons’ employees claimed against Morrisons. They claimed for a breach of the Data Protection Act 1998 (which was in force at the time) and the misuse of private information and for breach of confidence.
High Court and Court of Appeal find Morrisons vicariously liable
The High Court and Court of Appeal found Morrisons vicariously liable for Mr Skelton’s actions. They ruled Mr Skelton’s actions were sufficiently closely connected to his role, since his actions fell within the field of activities entrusted to him (to receive and store payroll data and forward it to the external auditor). They found a ‘seamless and continuous sequence of events [and] an unbroken chain’.
Morrisons appealed to the Supreme Court.
Supreme Court disagrees
The Supreme Court overturned the decision.
The Court noted that, to establish vicarious liability, the employee's act must arise from a task 'closely related to what [they were] was tasked to do’ so it can fairly and properly be said the employee is acting in the ordinary course of their employment. The fact that the employment gives the opportunity to commit the wrongful act is not sufficient to impose vicarious liability. An employer is not normally vicariously liable when the employee is not engaged in furthering their employer’s business, but rather pursuing a personal vendetta or on 'a frolic of their own'.
The judgment examined previous cases on vicarious liability. It compared a Managing Director who punched an employee at a Christmas Party when illustrating he was in charge of the business (where the employer was held to be vicariously liable - a summary of the judgment is here) with a police officer who left his post and accidentally shot a bystander when enraged after finding his girlfriend in a bar with another man (where the employer was not held to be liable).
Where an act is one of 'personal vengeance', or in pursuit of private ends, an employee is not acting on their employer's business. Nor are they furthering their employer’s business. Mr Skelton was acting in a vendetta against Morrisons. Therefore, Morrisons were not vicariously liable for Mr Skelton’s actions.
The Court also ruled, obiter, that controllers can be vicariously liable for acts by employees that breach the DPA 1998. This principle would also likely apply to the Data Protection Act 2018 and GDPR.
Comment
This decision will be hugely welcomed by employers and controllers. The Court of Appeal had not found any shortcomings in Morrisons processing and storage of the data but still found them vicariously liable. This would have been hugely worrying for controllers being liable for something wholly outside their control. The Court had not faulted Morrisons’ response, and it is hard to see what more they could have done to prevent the breach, since the employee was acting in revenge against his employer.
Although Morrisons successfully challenged the decision, controllers should still ensure they have sufficient measures in place to safeguard data they hold. A mass data breach can cause financial and reputational harm. Data protection training for staff is therefore vital as is the need for constant vigilance and regular review of internal procedures to reduce the risk of a rogue employee having the ability to wreak havoc in this way.
The articles published on this website, current at the date of publication, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your own circumstances should always be sought separately before taking any action.