The Supreme Court has brought the UK’s first data leak class action case to an end by finding that Morrisons is not vicariously liable after an employee deliberately leaked payroll date of 100,000 employees.
In 2013, Mr Skelton, a senior auditor employed by Morrisons, was tasked with providing a copy of the payroll data of Morrisons' entire workforce to its external auditors. This included the name, address, gender, date of birth, phone number, national insurance number, bank details and salary of each of Morrisons' 100,000 employees. Having been provided with access to the data in order that he could perform his task, Mr Skelton copied the payroll data from his work laptop onto a personal USB stick. In January 2014, he uploaded the payroll data to a file sharing website. Mr Skelton made the disclosure from his home using an anonymous pay-as-you-go mobile phone, a false email account he had set up using a colleague’s details and Tor, software designed to disguise the identity of a computer when accessing the internet. On 13 March 2014, the day on which Morrisons’ financial results were due to be released, Mr Skelton sent CDs containing a copy of the payroll data to three newspapers, claiming to be a concerned member of the public who had come across the data online.
Instead of publishing the data leak as Mr Skelton had intended, the newspapers alerted Morrisons. Within a matter of hours, Morrisons had put a containment plan in place which ultimately cost it over £2.26m. Measures included securing the removal of the data from the internet, conducting an internal investigation, notifying the police and its employees and implementing identity protection for all employees. Mr Skelton was arrested several days later and subsequently sentenced to 8 years’ imprisonment for offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (DPA). During his trial it emerged that his actions were motivated by a secret grudge he held against his employer following a previous disciplinary proceeding.
Morrisons' employees initiated a class action against Morrisons seeking compensation for the distress, anxiety, upset and damage caused by the data leak. By the time the case eventually came before the Supreme Court, over 9,000 employees were participating in the action.
The employees claimed that Morrisons was liable for the data breach on the grounds of breach of statutory duties under section 4(4) of the DPA, under common law for the tort of misuse of private information and in equity for breach of confidence. The claims were made on the basis that Morrisons had primary liability for its own acts and secondary (vicarious) liability for the acts of its employee, Mr Skelton. The claim under section 4(4) of the DPA was made on the basis that liability for breach of the statutory duty was absolute or strict but it was also asserted that if the court found that liability under section 4(4) was qualified (so that liability could only arise if Morrisons had failed to meet applicable standards) then Morrisons had in any event failed to meet those standards.
The case was initially heard by the High Court. In January 2018 the Court handed down its ruling. The court held that Morrisons did not have primary liability under any of the grounds of claim.
In respect of the DPA claim, the court found that there was no primary liability under section 4(4) of the DPA. The breaches alleged by the employees specifically related to the 1st, 2nd, 3rd, 5th and 7th data protection principles in respect of which the court held:
- in respect of the 1st, 2nd, 3rd and 5th data protection principles, Mr Skelton had become the data controller at the time that these were breached; as Morrisons was not the data controller at the relevant time, it was not subject to any statutory duty to the employees which it could have breached
- in respect of the 7th data protection principle, liability was clearly qualified rather than strict so the simple fact of disclosure of data did not amount to a breach; on the facts, whilst Morrisons had fallen below the applicable standard by failing take adequate and appropriate controls, albeit only in one minor respect, that failing had not caused or contributed to the disclosure or caused any loss and Morrisons was therefore not liable.
The court found that the claims in respect of breach of confidence or misuse of private information also failed on the basis that it was not Morrisons that disclosed the information or misused it. It was Skelton, acting for his own criminal purposes and without Morrisons’ authority, who had committed the relevant acts.
However, the court held that Morrisons was vicariously liable for Mr Skelton’s breach of statutory duty under section 4(4) of the DPA as well as for the misuse of private information and breach of confidence
In reaching its decision the court determined that vicarious liability applied where an employee committed a breach of a statutory obligation, even where that duty applied to the employee alone and not to the employer itself, provided that the employee was acting in the course of his employment and the statute did not expressly or impliedly exclude vicarious liability. Applying this to the facts of the case, the court held that Morrisons was vicariously liable because:
- Mr Skelton was acting as data controller at the time of the disclosure and his acts in disclosing the data amounted to a breach of his statutory duty under section 4(4) of the DPA
- Mr Skelton’s act in disclosing the data was so closely connected to the acts he had been authorised to perform that it could fairly and properly be regarded as done by Mr Skelton in the ordinary course of his employment
- there was nothing within the DPA which would preclude vicarious liability arising in respect of a claim under the DPA itself or under the common law tort of misuse of private information or the equitable action for breach of confidence. The DPA should be treated as providing additional protection in respect of the use of data rather than as replacing any existing form of protection that already existed at law.
In reaching this finding, the Court did recognise that Mr Skelton’s wrongful acts had been carried out with the deliberate intention of harming Morrisons and that its ruling of vicarious liability may therefore effectively result in the court having furthered Mr Skelton’s criminal aims. As such, the court granted leave for Morrisons to appeal its decision on the issue of vicarious liability.
Court of Appeal
Morrisons appealed on three grounds. Firstly, that the High Court should have concluded that vicarious liability could not apply to breaches of the DPA. Secondly, that the High Court should have concluded that the DPA excluded causes of action being brought under misuse of private information and breach of confidence (whether for direct or vicarious liability). Thirdly, that the High Court was wrong to conclude that Mr Skelton carried out the wrongful acts in the course of his employment and, accordingly, that Morrisons was vicariously liable for those wrongful acts.
In its judgement, the court noted that the employees had only claimed direct liability for breach of statutory duty under the DPA with the claims for vicarious liability being restricted to misuse of private information and breach of confidence. However, the court recognised that Morrisons’ first ground of appeal was a necessary “stepping stone” to enable it to argue that the DPA precludes vicarious liability under the common law tort of misuse of private information or for breach of the equitable duty of confidence as put forward in its second ground. The court therefore considered the first and second grounds of appeal together.
Morrisons argued that it was necessary to interpret the DPA as excluding vicarious liability for the common law and equitable claims. It asserted that whilst the DPA covered precisely the same ground as the claims in common law and equity, namely privacy, there were substantial inconsistencies between the positions under each. As Parliament had elected to pass specialist legislation in the form of the DPA, it must be implied that Parliament’s intention was that this would exclude vicarious liability under the inconsistent common law and equitable claims as they could not have been intended to co-exist.
The court was not persuaded by Morrisons’ arguments. Whilst the court did not make a decision on the first ground of appeal, it found against Morrisons on the second ground of its appeal, noting that:
- if Parliament had intended the DPA to exclude common law and equitable rights it would have said so expressly
- Morrisons had conceded that claims for primary liability under the common law and equitable remedies did operate in parallel with the DPA whilst also arguing that the DPA excluded claims for vicarious liability under the common law and equitable claims. This was a difficult line to tread and was inconsistent with the principal objective of the DPA which was to protect privacy and provide effective remedy for its infringement
- the DPA said nothing about the liability of an employer who was not a data controller for breaches by an employee who was a data controller.
Morrisons’ third ground of appeal turned upon the question of whether there was sufficient connection between Mr Skelton’s disclosure of the data and his employment to make it right for Morrisons, as his employer, to be held liable. Morrisons argued that Mr Skelton was not acting in the course of his employment because the wrongful act was carried out when he was at home, out of work hours and using his own personal equipment. The court disagreed, holding that the wrongful act in fact began when Mr Skelton copied the data from his work laptop onto his own USB stick. This act was carried out at work and in the course of employment. The employees’ cause of action against Mr Skelton came into being as soon as the data was copied and everything that followed was a seamless and continuous sequence of events giving an unbroken chain of causation.
The court recognised that the case was unusual in that Mr Skelton’s aim was to harm Morrisons rather than to achieve a benefit for himself and it acknowledged the concerns raised by the High Court that a finding of vicarious liability may further these aims. However, it held that Mr Skelton’s motive was irrelevant.
The court was unsympathetic to arguments raised as to the potentially devastating liability that organisations may face if they are to be held liable for deliberate data breaches by employees, stating that insurance provided a valid answer to the “Dommsday or Armageddon arguments” put forwards by Morrisons.
Morrisons’ appeal was dismissed on all grounds.
Morrisons appealed the case to the Supreme Court. The case was heard in November 2019 with judgment handed down in April 2020.
The questions to be determined in the appeal were:
- Whether Morrisons was vicariously liable for Mr Skelton’s conduct
- If the answer to (1) if yes:
- Whether the DPA excludes vicarious liability for statutory breaches of the DPA by an employee acting as a data controller; and
- Whether the DPA excludes vicarious liability for the common law tort of misuse of private information or under an equitable claim for breach of confidence.
In considering the first question, the court reiterated that in order to establish vicarious liability, Mr Skelton’s wrongful disclosure of data must have been so closely connected with acts that he was authorised to do in his capacity as employee that his act in disclosing the data could fairly and properly be regarded as having been done by him while acting in the ordinary course of his employment. In assessing this the court must consider whether Mr Skelton’s acts were within the field of activities which he was authorised to perform by Morrisons and whether there was a sufficient connection between Mr Skelton’s role as an internal auditor and his disclosure of data so that Morrisons should be liable for his wrongful acts. The court considered that the “close connection” test was not a simple question of timing or causation and that Mr Skelton’s motive was highly relevant to the issue of vicarious liability.
On the facts of the case, the court found that:
- whilst Mr Skelton’s employment gave him the opportunity to make the disclosure of data, Mr Skelton was not authorised to make the disclosure by Morrisons and nor was the making of the disclosure within Mr Skelton’s field of activities
- it was clear that Mr Skelton was pursuing a personal vendetta when making the disclosure of data and was not engaged in furthering Morrisons’ business when committing the wrongful act.
In allowing the appeal on the first issue and finding that Morrisons was not vicariously liable for Mr Skelton’s acts, the court concluded that the lower courts had misunderstood the principles of vicarious liability.
Whilst the court’s finding on the first issue meant that there was no necessity for it to consider the second question raised on the appeal, it nevertheless felt that it was desirable that it do so. The court held that the DPA neither expressly nor impliedly excluded vicarious liability for a breach of the DPA committed by an employee who was a data controller nor prevented an employer being found vicariously liable for an employee’s misuse of private information or breach of confidence.
Whilst the Supreme Court’s ruling may have come as a relief to both employers and the insurance industry, we would emphasise that Morrisons escaped vicarious liability on the specific facts of this case. When considered outside the scope of those facts, the key take-aways from the case give less cause for reassurance:
- employers can still be held vicariously liable for data breaches by their employees with the potential for a single act by an employee resulting in large scale group actions against an employer that had taken all reasonable measures to meet its obligations under data protection law
- data protection laws do not exclude vicarious liability, whether for statutory breaches, common law claims of misuse of private information or equitable claims for breach of confidence
- the costs of breach can be high. In this case, Morrisons spent £2.26m on breach management not including the cost of defending the claim in the High Court and pursuing appeals before the Court of Appeal and the Supreme Court (exactly how the litigation was funded and whether Morrisons will be able to recover any litigation costs is unknown).
- the possible costs of a successful class action remain unclear. The issue of quantum was not considered given the Supreme Court’s ruling and there is uncertainty as to how the courts would approach a quantum decision on such a case. Whilst it is generally perceived that the sum payable to each individual would be low, the sheer number of claimants in a class action could easily push a defendant’s damages bill well into the millions. The Court of Appeal was unsympathetic to public policy arguments run by Morrisons in this regard, stating that the risk of costly damages could be insured against.
- as yet there is no indication that the Morrisons case has had any sort of dampening effect on the growing appetite for data-related class action cases. With several other class actions currently proceeding through the courts, including an upcoming Supreme Court hearing in Lloyd vs. Google, this remains an issue to watch.
Application to the GDPR/Data Protection Act 2018
Whilst this case concerned liability under the Data Protection Act 1998, organisations should note that the principles appear to be equally applicable under the GDPR and Data Protection Act 2018; the change of law will not therefore provide a shield against future findings of vicarious liability.