Morrisons has successfully argued in the Supreme Court that it cannot be held vicariously liable for a data breach in which the personal details of employees and former employees were exposed.
In a judgment handed down today (1 April), Lord Reed said that the company could not be held liable for an ex-employee’s criminal activity as it had been part of a “personal vendetta” against the organisation and not part of his role.
The Supreme Court’s judgment overturns previous decisions made by the Court of Appeal and the High Court, which had found the retailer could be held vicariously liable for the actions of Andrew Skelton, who is now in prison.
Employers will be relieved to hear this outcome, however this case does illustrate how fact specific issues of vicarious liability are, and not all employers will have the grit or will to fight the issue all the way up to the Supreme Court,” – Julia Wilson, Baker McKenzie
In 2014, Skelton, a senior internal auditor at Morrisons’ Bradford head office, leaked a file containing the personal details of thousands of employees and ex-employees to a file sharing website. He had made a copy of the payroll file after receiving a verbal warning after disciplinary proceedings for minor misconduct.
In group litigation proceedings, more than 9,000 Morrisons employees and former employees brought a claim for compensation against the company for breaches of the Data Protection Act 1998, misuse of private information and/or breaches of confidence. Their lawyers argued that Morrisons’ employees entrusted their information with their employer, who failed to keep it safe, and that if it was not personally liable for the breach then it should be held vicariously liable for Skelton’s actions.
In considering Morrisons’ appeal against the High Court and Court of Appeal’s judgments, the Supreme Court explored whether the wrongful conduct was closely connected with what the employee was required to do while acting in the ordinary course of his employment.
It found that while Skelton was authorised to transmit the payroll data to external auditors, his wrongful disclosure of the data was not so closely connected with that task that it can be regarded as acting in the ordinary course of his employment. It said that an employer is not normally vicariously liable where the employee was not engaged in furthering his employer’s business.
Julia Wilson, a partner at law firm Baker McKenzie, said the judgment will allow employers to breathe a sigh of relief.
“The previous Court of Appeal decision had stretched the concept of an employer’s vicarious liability for its employees very far, to hold an employer liable for the acts of an employee who was pursuing a personal vendetta outside the workplace, and had deliberately tried to hide his wrongdoing,” she said.
“Whilst often the vicarious liability of an employer has limited effects (usually owing liability to one or a small handful of employees), in this case the data breach element amplified the risk to Morrisons – who faced over 9,000 claimant employees in the end. If the Court of Appeal decision had been upheld, the level of damages Morrisons might have faced would be huge.
“Employers will be relieved to hear this outcome, however this case does illustrate how fact specific issues of vicarious liability are, and not all employers will have the grit or will to fight the issue all the way up to the Supreme Court.”
However, she noted that the judgment comes with a “sting in the tail” – the Supreme Court said an employer can be held vicariously liable in situations where an employee commits a data breach “in the course of employment”.
Paul Holcroft, associate director at employment law consultancy Croner, said: “This long-awaited ruling from the Supreme Court seems to provide further clarity on vicarious liability, something that many employers are likely wary of.
“The fact that this case made it to the Supreme Court demonstrates that this can be an unclear area and will be fact specific. To this end, it is important that companies are prepared to respond quickly to any circumstances when they could face liability for the actions of their staff.”