Employers breathe a sigh of relief following the Supreme Court decision in Morrisons

1. Background

As a reminder, the Morrisons data breach was the result of the deliberate and criminal actions of a disaffected former employee – Andrew Skelton. Having exploited his legitimate access to Morrisons’ systems, Mr Skelton stole and unlawfully published the personal data of almost 100,000 Morrisons employees on a file sharing website, then later sent a copy of the same data anonymously to three newspapers. The published data included names, addresses, gender, dates of birth, telephone numbers, national insurance numbers, bank account details and salary details. Once Morrisons was alerted to the breach, it quickly took steps to take down the website and alerted the police. The ICO investigated but ultimately decided that no enforcement action was appropriate at the time. 

Mr Skelton was charged with fraud offences under the Computer Misuse Act 1990 and under section 55 of the Data Protection Act 1998 (DPA), and was sentenced to 8 years in jail in 2015.

2. The journey to the Supreme Court

On 24 November 2015, 5,500 of the affected employees joined group litigation against Morrisons, alleging both primary and vicarious liability for (i) misuse of private information; (ii) breach of confidence; and (ii) breach of statutory duty owed under section 4(4) of the DPA.

Both the High Court and the Court of Appeal determined that Morrisons was not primarily liable for the breach, finding no reason to criticise the supermarket’s security controls – save perhaps for the overreliance on a manual process, which neither caused nor contributed to the tort. 

However, Morrisons was found at both first instance and on appeal to be vicariously liable for the actions of Mr Skelton. On this point, the Court of Appeal reasoned that “vicarious liability of an employer for misuse of private information by an employee and for breach of confidence by an employee has not been excluded by the DPA” and therefore, at common law, the supermarket could be liable for the actions of an employee for acts carried out in the course of his employment or, at least, that such acts were so closely connected to his employment. The Court of Appeal, referring to the judgment at first instance, found that the acts of Mr Skelton did not amount to random acts but instead constituted an “unbroken chain beginning even before, but including, the first unlawful act of downloading data from his...work computer to a personal USB stick”.

For more analysis on these judgements, see here.

3. The opportunity for an employee to commit a wrongful act is not sufficient to find an employer vicariously liable

Having first clarified the case law on vicarious liability, and reviewing earlier decisions on vicarious liability in Lister v Hesley Hall, Dubai Aluminium v Salaam, and Mohamud, Lord Reid, delivering the only judgment, found that [31]:

a. the disclosure of the data on the internet did not form part of Mr Skelton’s functions or “field of activities”;

b. the application of the Catholic Child Welfare Society factors by the Court of Appeal was not relevant to the present case. Those factors where instead relevant to whether vicarious liability could be found in a quasi-employment relationship;

c. despite the temporal link and unbroken chain of causation linking the provision of data to Skelton to its disclosure online, “a temporal and causal connection does not in itself satisfy the close connection test”; and

d. the motive for Mr Skelton in acting as he did was a material consideration as to whether he was acting on his employer’s business or purely for personal reasons.

According to the Supreme Court, the main question was whether the disclosure of the personal data “may fairly and properly be regarded as made by him while acting in the ordinary course of his employment” [33]. The Supreme Court found [34] that the only clausal link between Mr Skelton’s employment and the breach was that he had legitimately been provided the data in the ordinary course of his employment. However, the Court held that the mere fact that an employee’s employment gave him the opportunity to commit the wrongful act would not be sufficient to warrant the imposition of vicarious liability [35].

Further, the Supreme Court found that it was “abundantly clear” that Mr Skelton was not engaged in “furthering his employer’s business” when he committed the wrongdoing. Instead, Mr Skelton was “pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings some months earlier” [47].

The Supreme Court concluded that Mr Skelton’s wrongful conduct was not so closely connected with the acts which he was authorised to do, such that, for the purposes of Morrison’s liability to third parties, it can be fairly and properly be regarded as done by him while acting in the ordinary course of his employment [47].  

4. The Data Protection Act does not exclude the imposition of vicarious liability

The Supreme Court determined that it was desirable, albeit not strictly necessary, to consider the relationship between the DPA and the common law remedy for vicarious liability [48]. 

The Court rejected Morrison's submission that the DPA impliedly excluded the vicarious liability of an employer who had acted with reasonable care in accordance with the then seventh data protection principle (i.e. security). According to the Court, the statutory scheme in the DPA was not inconsistent with the imposition of strict liability on the employer of a controller – which Mr Skelton was in his own right – whether for that person's breach of the DPA or for his breach of duties arising at common law or in equity [54]. 

The Court found no inconsistency between the fault-based liability of the primary tortfeasor (Mr Skelton) under the DPA and the strict vicarious liability of his employer (Morrisons) under common law. However, in this case, as explained above, the Supreme Court concluded that Morrisons was not vicariously liable for the acts of Mr Skelton. The point may be significant for other cases, but not for Morrisons.

5. Initial comments

This has been an expensive and damaging exercise for Morrisons. The initial costs of investigating and rectifying the breach, are likely to have been dwarfed by the PR, legal and other costs associated with the follow-on litigation, irrespective of any damage to its brand and employee relations. Incidentally, whilst the initial claimant pool had swelled to 9,263, almost twice its original size, this is still someway short of the total number of affected individuals.

The final ruling in this long-running saga is likely to be of significant relief to employers. The decisions of the lower courts had left employers in the uncomfortable position where they may be held vicariously liable for the acts of rogue employees, even where said employee had been convicted of criminal offences with significant jail sentences attached and had deliberately set out (according the deciding courts) to harm the employer. 

This decision may be unpopular with some but does somewhat restores the balance for employers grappling with compliance obligations and the need to observe individual rights and freedoms in the data protection and employment context.