What does WM Morrisons Supermarkets plc (Appellant) v Various Claimants (Respondents) [2020] UKSC 12 mean for data breach matters?

April 6, 2020

By Trudi Olivia Moore

A short analysis of the development of the principle of vicarious liability in data breach matters.

Introduction

Following the introduction of the General Data Protection Regulations in 2018, increased attention has been afforded to the protection of individuals’ personal data. Often, a data breach will occur in a situation whereby there is wrongful disclosure of an individual’s private information, to a third party. This may be the result of technological or human error. Either way, a company or organisation can be held vicariously liable for the data breach if the tortious act of an employee is carried out in the course of their employment.

However, crucially, vicarious liability is fact specific. A data breach may not be the result of error or mistake. A breach may occur when an employee is acting begrudgingly and intentionally. Despite the breach having some connection to an employer, there may be situations in which an individual effectively ‘goes rogue.’ The question that emerges in this situation is whether or not an employer may be held vicariously liable for the acts of an employee who is pursuing his own interests and ‘on a frolic of his own.’

It follows that an assessment of the facts of the matter will be required in order to conclude whether or not the wrong was, in fact, closely connected to their employment as to justify a finding that it was carried out in the course of such.  The traditional test for determining whether or not the wrong was carried out in the course of employment is found in the text of Law of Torts by Sir William John Salmond (1907). The fundamental proposition was that “a master is not responsible for a wrongful act done by his servant unless it is done in the course of his employment.” In assessing whether or not an act was carried out in the course of his employment, it was deemed so if the act was either authorised by the master or a wrongful and unauthorised mode of doing some act authorised by the master. In order to answer this question, an investigation of the nature and scope of the authority granted to the employee, by the employer, was required. In itself, this caused complication through varying interpretations.

In a situation where the breach is carried out by an employee who is acting maliciously or for their own personal gain, the act is likely unauthorised. Case law has developed over time and the question has become whether or not the act was so closely connected with those that they were authorised to do, that it can be regarded as another way of carrying out their tasks. This is known as the ‘close connection test’ and is set out in Lister v Hesley Hall [2001] UKHL 22. The factors that may be considered in determining the close connection test are;

  • the opportunity that the enterprise afforded the employee to abuse his or her power;
  • the extent to which the wrongful act may have furthered the employer’s aims (and hence be more likely to have been committed by the employee);
  • the extent to which the wrongful act was related to friction, confrontation or intimacy inherent in the employer’s enterprise;
  • the extent of power conferred on the employee in relation to the victim;
  • the vulnerability of potential victims to wrongful exercise of the employee’s power.[1]

Consequently, the scope of vicarious liability is rather broad. Employers may be held liable for the actions of their employee in a number of situations. However, the courts have grappled with the idea of an employee who is acting entirely independently from an employer and may, for example, hold a grudge against their employer or third party. The matter of Various Claimants v WM Morrisons Supermarket PLC [2017] EWHC 3113 explored this scenario. [2] It was first heard by Mr Justice Langstaff in 2017.[3] Morrisons appealed the judgment and the Court of Appeal upheld it.[4] Morrisons sought leave to appeal to the Supreme Court and it was heard in November 2019.

 

WM Morrisons Supermarkets plc (Appellant) v Various Claimants (Respondents) [2020] UKSC 12 on appeal from [2018] EWCA Civ 2339

 On 1st April 2020, The Supreme Court handed down judgment in WM Morrisons Supermarkets PLC v Various Claimants.

Mr Skelton was an employee of Morrisons Supermarket. His job role was a senior internal auditor. In July 2013, he was involved in disciplinary proceedings relating to minor misconduct. Following such, he developed aberrant animosity towards his employee.

Later in 2013, Mr Skelton was tasked with preparing payroll data in preparation for disclosure to KPMG, the supermarkets external auditor. In order to do so, he was granted access to the payroll data of Morrisons’ work force (126,000 employees). The data included the name, date of birth, address, gender, phone numbers, national insurance number, bank details and salary details of each employee. Mr Skelton carried out his task and produced the data to KPMG, as instructed. However, he also transferred the data to a personal USB stick.

On 12th January 2014, Mr Skelton uploaded a file, containing 98,998 employees’ details to a public file-sharing website. On 13th March 2014, Morrisons financial results were due to be announced. Mr Skelton sent CD’s to three local newspapers, containing the data, claiming to be a member of the public who had stumbled across it online. One of the newspapers contacted Morrisons, informing them of the leak. They did not publish the data that they had acquired. Following investigations, Mr Skeleton was arrested and convicted. He was sentenced to eight years’ imprisonment. The breach cost Morrisons £2.26 million. A novel feature of this matter was that Mr Skelton’s actions were carried out with the intention of harming his employer.

Subsequently, 9,263 employees brought claims against Morrisons for breach of the statutory duty created by s4 (4) Data Protection Act 2018, misuse of private information and breach of confidence. The employees also alleged that Morrisons was vicariously liable for Mr Skelton’s conduct.

Morrisons argued the following at trial;

  • Vicarious liability could not attach to a breach of the DPA as Mr Skeleton was the data controller and he subsequently, disclosed the data;
  • The DPA excluded vicarious liability for misuse of private information or breach of confidence;
  • Mr Skelton’s wrongful conduct was not committed in the course of his employment.

These arguments were rejected by Langstaff J on the following grounds;

  • The object of the Directive 95/46/EC was the protection of data subjects. If vicarious liability did not apply, the object of the Directive was defeated;
  • As the Directive’s object was the protection of data subjects, it should be treated as providing additional protection rather than as replacing such protection as already existed;
  • The wrongful conduct was carried out under the course of his employment with Morrisons as they had provided him with the data to carry out the task. They trusted him to carry out this task correctly.

Morrisons appealed this judgment, however, the Court of Appeal dismissed it. Their reasoning for dismissal echoed the judgment of Langstaff J. They held that there was nothing in the DPA which excluded vicarious liability and that Mr Skelton’s actions were committed during his employment with Morrisons.

The Supreme Court handed down the judgment in WM Morrisons Supermarkets plc (appellant) v Various Claimants (respondents) [2020] UKSC 12 on 1st April 2020. The issues to be decided were listed as follows;

  • Are Morrisons vicariously liable for Mr Skelton’s conduct?

If yes,

  • Does the DPA exclude the imposition of vicarious liability for statutory torts committed by an employee data controller under the DPA?
  • Does the DPA exclude imposition of vicarious liability for misuse of private information and breach of confidence?

The Supreme Court took the case of Mohamud v WM Morrisons Supermarket PLC [2016] AC 677 into account as the courts below had made numerous references to the reasoning in this judgment. However, the Supreme Court took a different stance when interpreting the rationale behind Lord Toulson’s reasoning.  The question of vicarious liability was considered once more.

The general test laid down by Lord Nicholls in Dubai Aluminium Co Ltd v Salaam  [2003] 3 WLR 1913 was applied and the question became whether Mr Skelton’s disclosure of the data was so closely connected with acts he was authorised to do by Morrisons, that it resulted in them being carried out whilst acting under his ordinary employment with them. In contrast with the lower courts, Lord Reed explained that the mere fact that Mr Skeleton’s employment gave him the opportunity to commit the wrongful act would not be sufficient to warrant the imposition of vicarious liability. The Supreme Court turned to a number of previous court decisions for guidance. Lord Reed drew distinction in cases where an “employee has engaged, however misguidedly, in furthering his employer’s business and cases where the employee is engaged solely in pursuing his own interests: on a frolic of his own.”[5]

Upon this, it was decided that Mr Skelton was not engaged in furthering his employer’s business when he committed the wrongdoing and that he was, instead, ‘pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings.’[6] It follows that Mr Skeleton was not acting in the ordinary course of his employment and the necessary conditions for the imposition of vicarious liability had not been met.

The Supreme Court then proceeded to consider the remaining two issues, although vicarious liability had not been established. In brief, it was found that the imposition of a statutory liability upon a data controller is not inconsistent with the imposition of common law vicarious liability upon his employer, either for the breach of duties imposed by the DPA or for breaches of duties arising under the common law. Since the DPA neither expressly or impliedly indicates otherwise, the principle of vicarious liability applies to the breach of the obligations which it imposes and to the breach of obligations arising at common law, committed by an employee who is a data controller in the course of his employment.

In conclusion, Morrisons were not found to be liable for Mr Skelton’s conduct and the appeal was allowed.

 

The Implications of Morrisons Supermarket PLC v Various Claimants [2020]

The judgment acts as reassurance to employers who experience a similar situation to that of Morrisons, where an employee is acting in furtherance of their own agenda and that agenda is entirely irrational. It is quite clear, that employers will not be punished when an individual is acting entirely independent of their employment and the requirement for a close connection is not established.

However, it must be noticed that this judgment was handed down in light of its own unique factual matrix. The decision does not equate to a universal dismissal of vicarious liability in relation to a malicious employee. The circumstances in which a breach occurs will be examined. In Morrisons, the disclosure could not fairly and properly be regarded as carried out by Mr Skelton while acting in the ordinary course of his employment. However, it remains that there will be matters in which there is a finding that the actions are closely connected with the employee’s duties at work.

It follows that the judgment will be of particular interest to claimant solicitors. Many breaches occur as a result of personal vendettas against other individuals, not an employer. Employees may exploit their employers by making use of data held by them, about the individual, in order to further their malicious acts. Should a breach be the result of human error, technological failure, mistake or carelessness, it is likely that claimants will be successful in pursuing a data breach claim. However, when a breach is deliberate, the breadth of considerations will be wider. It is anticipated that the details of the breach will be at the forefront of the discussion. Whether there is sufficient connection between the employment and the wrongdoing will be the first question under scrutiny. Within this, consideration will be afforded to how radical the breach was. As viewed in Morrisons, the vendetta was solely personal and unpredictable. It was wholly unreasonable, in light of the facts for Morrisons to be held vicariously liable. However, it remains that there may occur a situation whereby the breach was predictable, or where the courts take the viewpoint that a close connection did exist.

Further, Morrisons were able to prove that they had put in place security systems for the processing of personal data which met the required standards. However, had they not, the outcome may have been different. The measures implemented by an employer are likely to be examined. If, for example, the employer has put all necessary security in place and has trusted an employee to carry out their duties in line with data protection laws, as in Morrisons, it is possible that an employer will not be found vicariously liable. However, in a situation where an employer has failed to recognise the potential for an employee to abuse its systems or has not ensured that its security systems comply with the standards expected, an employee may be found vicariously liable. It follows that, in light of this judgment, controls should also include measures to ensure that employees do not disclose personal data, maliciously or for their own gain.

 

Conclusions

The judgment in Morrisons represents the first data class action in the UK of its kind and sets a precedent. It raises multiple questions regarding vicarious liability. Individuals who are affected by a data breach are likely to experience difficulty in pursuing an action on the grounds of vicarious liability where an employee is acting maliciously and entirely outside of their employment. That being said, the judgment should not be interpreted as a universal restriction to actions against all employers in similar situations. The matter was decided on its own facts and the door is left open to other matters, including those where an employee is acting maliciously, motivated entirely by their own personal reasoning.

[1] https://publications.parliament.uk/pa/ld200001/ldjudgmt/jd010503/lister-1.htm

[2] WM Morrisons Supermarket PLC v Various Claimants [2020] UKSC 12  <https://www.supremecourt.uk/cases/uksc-2018-0213.html>

[3] Various Claimants v WM Morrisons Supermarket PLC [2017] EWHC 3113 (QB)  <https://www.judiciary.uk/wp-content/uploads/2017/12/morrisons_approved_judgment.pdf>

[4] WM Morrisons Supermarket PLC v Various Claimants [2018] EWCA Civ 339 <https://www.bailii.org/ew/cases/EWCA/Civ/2018/2339.html>

[5] Dubai Aluminium Co Ltd v Salaam  [2003] 3 WLR 1913 <https://publications.parliament.uk/pa/ld200203/ldjudgmt/jd021205/green-1.htm>

[6] https://www.supremecourt.uk/cases/docs/uksc-2018-0213-judgment.pdf para 47