The supermarket chain Morrisons had an internal auditor who went rogue. Aggrieved at an internal disciplinary process, he disclosed payroll data on the internet relating to about 100,000 of his colleagues. He was tracked down, charged and sentenced to eight years in prison. But was Morrisons liable to the employees whose information he had leaked?

The High Court held that Morrisons had no direct liability but that, even though it had done nothing wrong, it was indirectly or “vicariously” liable for the leak because the auditor was acting in the course of his employment. Although “only” 5,500 employees had brought a claim, there was potential liability to all 100,000 employees. Even if an individual employee might recover only a small amount for the distress caused, the overall financial impact on Morrisons might be enormous.

Morrisons appealed to the Court of Appeal (“CA”), on two main grounds. First, Morrisons argued that vicarious liability had no place in data protection law and did not apply. Secondly, it said that the auditor was not acting in the course of his employment.

Court of Appeal’s judgment

The CA rejected the appeal. On the first ground, it could see no reason why vicarious liability should not apply. If Parliament had intended to eradicate an individual’s normal common law rights, it would have said so.

The CA then turned to the second ground and whether or not the auditor was acting in the course of employment. Previous cases on vicarious liability had established a two-step test:

  • Identify the function or field of activity entrusted by the employer to the employee.
  • Consider whether there was sufficient connection between the individual’s position and his wrongful conduct to make it “right” for the employer to be held liable.

The first step was simple - the employee had clearly been entrusted with payroll data. But was there sufficient connection between his position and leaking the data? The leak had occurred some weeks after he had taken the data, at his home, using his own computer. In addition, his aim was to cause harm to his employer. If Morrisons were found liable, the result - albeit indirectly – would be to help him achieve that aim.

After looking at various previous cases, the CA concluded that the employee was acting in the course of his employment, so Morrisons was liable.

Implications

Normally, the law will only impose liability on an individual who is blameworthy, but vicarious liability is an exception to this. In essence, vicarious liability is about loss distribution and achieving fairness and justice, imposing liability on the person most able to pay. Since the late 1990s, however, the courts have extended the scope of vicarious liability, taking a flexible and expansive approach (see, for example, another recent CA decision).

One can argue over whether it is right that an employer should be responsible for, say, the actions of a racist employee who attacks a customer, but normally the imposition of liability causes little difficulty. Claims are limited in number - for example, even cases about allegations of sustained sexual abuse rarely involve more than 100 claims against one institution. The costs of meeting such claims are generally manageable, and may be insured.

The Morrisons case breaks new ground - although at least it was limited to an identifiable, albeit very large group. Facebook has recently admitted that up to 50 million users were affected by a data breach. Will they bring claims for the distress caused?

Although Morrisons has said it will seek to appeal to the Supreme Court, the issues raised by the case go well beyond its specific facts. Ultimately, Parliament may need to decide on the extent of liability. Pending that, employers should dig out their insurance policies and check the scope of their cover.

WM Morrison Supermarkets plc v Various claimantsjudgment available here