The Supreme Court has handed down its Judgment in this high profile case in which Morrisons appealed previous findings of vicarious liability for a malicious data breach carried out by an ex-employee. The appeal also concerned whether the Data Protection Act 1998 excludes the imposition of vicarious liability for either statutory or common law wrongs.
The Supreme Court unanimously allowed Morrisons’ appeal, overturning the decisions of the lower courts, with Lord Reed giving the only substantive Judgment.
The Appellant operates the Morrisons supermarket chains. It employed Andrew Skelton as an internal auditor. Mr Skelton had previously received a verbal warning following disciplinary proceedings and had developed a grievance against his employer as a result.
In November 2013, Mr Skelton was asked to transmit payroll data from the company to its external auditors, KPMG. In doing so, he made and kept a personal copy of the data on a personal USB stick. The file included the data of 99,998 Morrisons employees. Mr Skelton later uploaded this data to a publicly accessible filesharing website and sent a link to this information to three major newspapers. One of the newspapers contacted the Appellant, which was how the data breach was discovered.
Mr Skelton was later prosecuted and is now in prison. The Respondents to the Appeal were 9,263 of the affected employees, who sued the Appellant on the basis that it was vicariously liable for Skelton’s acts. Their claims were for breach of statutory duty under the Data Protection Act 1998, misuse of private information and breach of confidence.
The Appellant was found to be vicariously liable on each basis claimed at both first instance and at the Court of Appeal. The Appellant therefore appealed to the Supreme Court.
It was held that the courts below had mistakenly applied a key authority on vicarious liability (Mohamud v WM Morrison Supermarkets plc  UKSC 11). In his Judgment, Lord Reed stated that the decision in the Mohamud case “was not intended to effect a change in the law on vicarious liability: quite the contrary”. He found that the courts below had focused on the final paragraphs of the judgment which, taken out of context, had wrongly been treated as establishing legal principles.
Lord Reed’s Judgment said that the Mohamud case never held that the motivation of the employee was irrelevant, as had previously been decided by the lower courts. The Judgment also found that the Mohamud case decided vicarious liability on the basis of the capacity in which the employee was acting, not the temporal and causal connections, as the lower courts had erroneously understood.
Whilst providing a comprehensive summary of the law on vicarious liability, Lord Reed explained that that the existing “close connection” test was the correct test to be applied by the courts. This means that the court must determine whether the wrongful conduct of the employee was so closely connected with the acts that the employee was authorised to do in the ordinary course of his employment (also known as the employee’s “field of activities”) that it could fairly and properly be regarded as made while acting in the ordinary course of his employment. Where a sufficient connection exists between the wrongful act and the employee’s field of activities, the employer could be held liable for the employee’s actions.
In the present case, the disclosure of data online was not part of Mr Skelton’s field of activities as it was not something that he was authorised to do. Further, the fact that there was a close temporal link and an unbroken chain of causation between the provision of the data to Mr Skelton to send to KPMG and his disclosing it online, this in itself did not satisfy the close connection test. The mere fact that Mr Skelton’s employment had given him the opportunity to commit the wrongful act did not warrant a finding of vicarious liability.
Whether the Data Protection Act 1998 excludes the imposition of vicarious liability for statutory wrongs, misuse of private information and breach of confidence
Lord Reed held that, in the light of the court’s findings on vicarious liability, it was not necessary for the court to consider this issue. However, it was desirable that the court expressed a view on it.
The Court’s view is that imposing statutory liability on a data controller like Mr Skelton is not inconsistent with a concurrent finding of vicarious liability at common law against the employer, whether for breach of the statutory duties under the Data Protection Act 1998 or for a common law or equitable wrong. This is because the Data Protection Act is silent about a data controller’s employer.
The decision will be welcomed by employers that have no culpability in a mass data breach of this kind, as they are no longer liable to pay compensation to those whose data had been leaked to the public. However, it leaves victims of mass data breaches of this type with no real remedy or compensation for the exposure of their personal data to the public.
In relation to the decision regarding the Data Protection Act 1998, the comments are obiter dicta (and thus not legal authority in future cases). Further, the decision concerns the old regime, which has since replaced by the Data Protection Act 2018. However, the comments are likely to be persuasive in future decisions concerning mass data breaches of this kind.
The decision should not be taken by employers as a blanket exemption from vicarious liability in these situations. Morrisons had strong compliance in place in relation to the protection of employee data, which was only exposed as a result of an employee’s vendetta against the company. Employers should therefore ensure that they have proper security, policies and safeguards in place to ensure that they are protected, to the greatest possible extent, against liability in the context of malicious data breaches.