Supreme Court hands down long-awaited judgment in Morrisons data breach claim

On 1 April 2020, the Supreme Court released its judgment in the long-running case of WM Morrison Supermarkets plc v Various claimants. The judgment allowed Morrisons’ appeal against a 2018 Court of Appeal judgment, which had held Morrisons vicariously liable for a data breach deliberately committed by a rogue employee. 

Background

The facts of the case date back to late 2013, when a senior auditor (Mr Skelton) in Morrisons’ internal audit team was tasked with transferring payroll data to the supermarket’s external auditors. In doing so, Mr Skelton also took his own copy of the data, which concerned approximately 126,000 employees and included names, contact details, dates of birth, bank details and salary information. Mr Skelton then uploaded nearly 100,000 of those employees’ details to a public file-sharing site, as well as sending the data to three newspapers. He was subsequently arrested and sentenced to eight years in prison for data theft.

A group of affected employees brought proceedings against Morrisons for breach of the Data Protection Act 1998 (DPA), misuse of private information and breach of confidence. The claims were brought both on the basis that Morrisons was directly liable for a failure to comply with the DPA and that Morrisons was vicariously liable for the actions of Mr Skelton as an employee. Vicarious liability for employers arises when an act of wrongdoing is committed by an employee in the course of that employee’s employment.

The preceding judgments

At first instance, the judge disagreed with the claimants’ arguments that Morrisons was directly liable for any of the alleged breaches. In other words, Morrisons had complied with the requirements of the DPA and had not, itself, committed any breach giving rise to an actionable claim in how it had handled the employees’ personal data or the incident itself.

Whilst the judge was expressly uncomfortable with drawing this conclusion, he found that Morrisons was however vicariously liable. This was on the basis that: a) the purpose of the DPA was to protect individuals and this purpose would be undermined if Morrisons were not held liable; and b) the fact that Morrisons had provided Mr Skelton with the data to carry out the task assigned to him meant that Mr Skelton had acted in the course of his employment. The judge thought that, in trusting Mr Skelton with confidential information, Morrisons had to take the risk that it could be wrong in placing that trust in him, and Mr Skelton’s disclosure to unauthorised third parties was “closely related” to the task that he was assigned to carry out.

As the judge could see merits in the arguments on both sides, he granted leave to appeal. The Court of Appeal agreed with the first instance judge and dismissed Morrisons’ appeal, noting that it considered that Mr Skelton’s wrongdoing was “within the field of activities assigned to him by Morrisons”.

The Supreme Court’s decision

Morrisons subsequently appealed again to the Supreme Court, which has now reversed the court of appeal’s decision. The court held that the previous courts had misunderstood the principles governing vicarious liability in the following key ways:

• The online disclosure of the data by Mr Skelton was not part of his “field of activities”, as he was not authorised to make the disclosure.
• There was not a “close connection” between the task Mr Skelton was asked to do and the act of wrongdoing that he committed.
• The courts had been wrong to suggest that Mr Skelton’s motive was not material in assessing vicarious liability; whether Mr Skelton was acting for his employer’s business or for personal reasons was highly material.

Taking into account all of the above, the court considered that Mr Skelton was not acting “in the course of his employment” when he disclosed the data online and therefore no vicarious liability for Morrisons arose. The fact that Mr Skelton was given the opportunity to disclose the data because he had access to the data in the context of his role was not enough to suggest that the unauthorised disclosure was closely connected to the task he was assigned. Mr Skelton was pursuing a personal vendetta and his disclosure was not an act that was undertaken for the purposes of furthering Morrisons’ business.

Implications

This is a landmark judgment and it will allow employers to breathe a (tentative) sigh of relief. A finding of vicarious liability would have had significant repercussions and would have meant that employers would risk having to pay out significant sums of compensation, even where that employer had done everything within its power to comply with data protection law and the breach was a criminal action by an employee intent on harming the employer’s business.

Employers can take some reassurance from the Supreme Court judgment that they will not be “on the hook” in these circumstances. However, the judgment does not mean that employers will escape liability for the actions of any rogue employee. The court did not feel that data protection legislation excludes vicarious liability altogether, merely that the conditions for vicarious liability were not met in this instance.

To mitigate the risk of being found vicariously liable for an employee’s actions, employers should have robust access controls in place that restrict access to personal data to only those who require it for their roles and should make clear to employers what the scope of their tasks are when it comes to handling personal data. Regular training is also critical to ensure that employees understand their data protection obligations and to put employers in the best position to demonstrate compliance.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at April 2020. Specific advice should be sought for specific cases. For more information see our terms & conditions.