Court of Appeal hands down judgment in Morrisons Appeal

On 22 October 2018, the Court of Appeal handed down its judgment in the appeal by supermarket Morrisons against the High Court's decision that it was vicariously liable for the acts of a rogue employee.

This is the first data leak class action in the UK and involves more than 5,000 employees. Read our summary of the decision and the key points you need to know.

Background

In January 2014, Mr Skelton, an employee of Morrisons with a grudge against the company, intentionally leaked 99,998 employees' records online. This included employees' names, addresses, dates of birth, phone numbers, National Insurance numbers, bank account details and salary details.

The information was shared on various websites and sent to the media. The media notified Morrisons, who worked to remove the information the following day.

Subsequently, over 5,000 employees brought a group action (under a group litigation order) against Morrisons, seeking compensation for:

  • Breach of the Data Protection Act 1998  (the DPA)
  • Tort of misuse of private information
  • Equitable claim for breach of confidence

On 1 December 2017, the High Court handed down its judgment and held that whilst Morrisons was not primarily liable/directly at fault for the data breach, but, despite it having exercised "adequate and appropriate controls", it was vicariously liable. The Court was, however, concerned that Mr Skelton's intention was to harm Morrisons and that its decision to hold Morrisons liable could "render the Court an accessory to furthering his criminal aims".  Therefore, the Court granted Morrisons permission to appeal the decision on vicarious liability.

Court of Appeal decision

Morrisons appealed on three grounds:

  1. The Court should have found that the DPA excludes the application of vicarious liability;
  2. the Court should have found that the DPA excludes the application of causes of action for misuse of private information and breach of confidence and/or the imposition of vicarious liability for these breaches; and
  3. the Court was wrong to conclude (a) the wrongful acts occurred in the course of employment and (b) that Morrisons was vicariously liable for them.

The Appeal was heard on 9 and 10 of October before the Master of the Rolls, Lord Justice Bean and Lord Justice Flaux. On 22 October 2018, the Court of Appeal handed down its judgment upholding the High Court decision that Morrisons was vicariously liable for the breach. In summary:

  • The Court dealt with the first and second ground together. The Court of Appeal rejected Morrisons' arguments that the DPA (expressly or impliedly) excludes an employer's vicarious liability at common law for an employee's misuse of private information and breach of confidence. The Court found:

    • If Parliament had intended such an exclusion, it might have been expected to expressly say so.
    • Morrisons' concession that causes of action at common law and in equity operated in parallel with the DPA in respect of primary liability of the wrongdoer was inconsistent with its position that vicarious liability for the same causes of action had been excluded by the DPA.
    • The DPA says nothing at all about the liability of an employer, who is not a data controller, for breaches of the DPA by an employee who is a data controller.
  • On Morrisons' third ground of appeal, he Court rejected arguments advanced by Morrisons' Counsel that the 'close connection' test for vicarious liability was not satisfied (referring to a long line of case law on the point).
  • The Court also rejected arguments advanced on behalf of Morrisons about the impact the decision could have if Morrisons were found to be liable placing a huge burden on both Morrisons and other innocent employers. The Court referred to the option of obtaining an insurance policy against potential breaches but highlighted that a defendant not being insured would not be a reason for not imposing liability.

Morrisons have indicated that they intend to appeal the decision to the Supreme Court.

Key practical points

The decision has the following key practical points:

 

1 - Technology

Businesses will already have needed to invest significant funds into preparing for the implementation of GDPR in May 2018. Following the decision an employer will remain vicariously liable for the acts of an employee in breaching data protection legislation, further investment will be required in AI technology to help protect against potential breaches and data loss prevention (particularly in large organisations).

2 - Policies and procedures

Businesses will also need to consider changes to policies and procedures to help minimise the risks of data breaches. Where sensitive data is involved, policies may need to be changed to limit the number of employees with access to this information and set strict guidelines as to how it is to be used and shared. HR policies may also need to be reviewed in situations where an employee raises a grievance, particularly where that employee holds a position with access to significant data.

3 - Training

There is likely to be additional training required for HR teams, senior managers and supervisors to help identify the areas of risk within a business and to ensure effective management of employees handling data.

4 - Insurance

In response to arguments raised on behalf of Morrisons of the potentially huge financial impact the decision could have on innocent employers, the Court of Appeal simply referred to the option to take out insurance to cover these circumstances. This may be an additional cover businesses need to consider.

5 - Reputation

However a data breach occurs the impact this can have on a business's reputation could be significant and wide ranging. Many companies that have suffered a data breach see a significant impact on share price and customer loyalty. It is important a business has appropriate plans in place to ensure that, should a breach happen, it is able to comply not only with its regulatory requirements (ICO reporting) but also minimise the negative impact on reputation and customer confidence.

Comment

In nearly 20 years since the inception of the DPA, this is the first case to question whether vicarious liability can arise where an employee has deliberately misused data. In reaching the conclusion the trial Judge showed some hesitance as he acknowledged that, in finding Morrisons liable, this might be seen to render the Court an accessory to furthering Mr Skelton's criminal acts. It was for this reason he gave permission to appeal.

Businesses will find the Court of Appeal's decision concerning as the finding cements the position that, even in circumstances where an employer has appropriate controls in place and is considered "innocent", they could still be liable for the acts of a rogue employee. Whilst businesses can put in place procedures and policies to help protect against these risks, in reality it will be nearly impossible to fully protect a business against the acts of a determined disgruntled employee. It seems inevitable that the Supreme Court will hear an appeal on such an important point of law but, for now, employers face this additional risk and burden and this is likely to be an area of attention for claimant firms and claims management industry.

For more information, please contact Richard Hayllar (Partner) or Alanna Tregear (Associate).

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at October 2018. Specific advice should be sought for specific cases. For more information see our terms & conditions.

Date published

23 October 2018

INSIGHTS & EVENTS

View all