Morrisons victory: no vicarious liability for actions of rogue employee
Yesterday, in the long-awaited judgment from the Supreme Court, supermarket chain Morrisons has succeeded in the battle against vicarious liability for a data breach caused by an employee with “an irrational grudge”. This will be a huge relief for employers across the board which were concerned about being been held legally accountable for the unauthorised actions of their disgruntled employees. Importantly, this case could have set a precedent for a flood of data protection group litigation claims being made against employers.
The data breach
As a reminder, this case is about the actions of an employee of Morrisons’ internal audit team called Andrew Skelton, who at the time of the event was disgruntled, having received a disciplinary warning from Morrisons. In 2013, Skelton, as part of his role, was tasked with sending payroll data of nearly 100,000 Morrisons’ employees to external auditors. In doing so, Skelton covertly made a separate copy of the data which he then uploaded to a publicly accessible filesharing website at home on a Sunday, using his own personal IT equipment. Skelton, pretending to be a concerned member of the public, waited until the day that Morrisons’ financial results were due to be announced to anonymously notify three newspapers of the disclosed data. The newspapers alerted Morrisons which immediately took steps to remove the disclosed data online, conduct internal investigations, inform the police and took measures to protect the identities of the affected employees. A few days later Skelton was arrested by the police and charged with a number of criminal offences.
A group of nearly 10,000 of the affected employees (and former employees) later issued a damages claim against Morrisons either directly or on the basis of its vicarious liability as an employer for Skelton’s actions. Morrisons decided to appeal to the Supreme Court after it lost its battle in the Court of Appeal in October 2018. If this group action was successful, Morrisons would have been exposed to potential claims from all the affected 100,000 individuals – a significant liability for any employer and creating huge employee relations issues for the company.
No vicarious liability for employer
The crux of the case centred on whether Morrisons, as an employer, could be held vicariously liable for the actions of its rogue employee. The Supreme Court, in a landmark decision, has yesterday overturned the previous Court of Appeal decision, stating “considering the question afresh, no vicarious liability arises in the present case”.
The key reason for the Court reaching the decision on vicarious liability was that Skelton’s actions in wrongfully disclosing the data online were not so closely connected with his ordinary duties that they could fairly and properly be regarded as made by Skelton while acting in the ordinary course of his employment. On long-established principles, the fact that his employment gave him the opportunity to commit the wrongful act was not sufficient to warrant the imposition of vicarious liability on Morrisons. His motive for the wrongdoing was to pursue a personal vendetta rather than furthering Morrisons’ business and an employer will not normally be vicariously liable in such circumstances.
However, importantly, the Court did highlight that, in principle, employers like Morrisons could be held vicariously liable for breaches of data protection legislation where an employee like Skelton is a data controller in their own right. There is no blanket exclusion on the principle of vicarious liability for rogue employees committing data breaches.
The Supreme Court’s judgement will be a welcomed outcome for many employers and those in the data protection and employment field, however there are a number of key points for employers to consider following this decision:
- The act in question was committed in the employee’s own time using his own IT equipment. Could the outcome have been different if it had been done on work time using Morrison’s IT equipment? We think not, because the employee’s motive and purpose is still relevant, as acknowledged by the Supreme Court, but it may well have been more difficult for Morrisons if the incident had occurred on Morrisons’ time, in their premises, using their IT equipment, which makes the following points all the more important:
- Security measures – employers who fail to have adequate security measures which can be linked to the actions of a rogue employee will be held directly liability under the GDPR (in this case, Morrisons did in fact have extensive security measures protecting the payroll data). The ICO has recently fined a number of organisations for a lack of appropriate security measures. This will be particularly important in light of the pandemic as organisations are being hit with more data breaches and phishing scams than ever.
- Data processing by employees – where employees are processing data on behalf of their employer as a data controller, as opposed to personal reasons, the employer will be directly responsible for that processing. It is only where an employee “goes rogue” and the actions are outside an employer’s control that an employer may not be considered either directly or vicariously liable.
- Employee training – employees should be aware of what actions constitute a data breach and what they should do in the event that they suspect that either themselves or a fellow colleague has committed a data breach.
For detailed information about how your organisation can implement effective cybersecurity measures, see our Cybersecurity Toolkit
Share this blog
- Adtech & martech
- Artificial intelligence
- EBA outsourcing
- Cloud computing
- Complex & sensitive investigations
- Cryptocurrencies & blockchain
- Data analytics & big data
- Data breaches
- Data rights
- Digital commerce
- Digital content risk
- Digital health
- Digital media
- Digital infrastructure & telecoms
- Emerging businesses
- Financial services
- KLick DPO
- KLick Trade Mark
- Open banking
- Software & services