Yesterday, April 1st, the Supreme Court handed down its landmark judgment in one of the most-watched data protection cases in years: Various Claimants v Morrisons. It unanimously ruled that Morrisons was not vicariously liable for the 2014 data breach by a disgruntled employee who exposed the personal data of around 100,000 Morrison’s employees. This decision overturns a huge class action case against the supermarket chain.
Background to Morrisons Case
In mid-November 2013, Morrisons gave one of its senior internal auditors, Andrew Skelton, who worked at the Bradford head office, access to the payroll data of its entire workforce. This amounted to around 120,000 individuals. This data was then supposed to be given by him to Morrison’s external auditors, for statutory auditing purposes.
Little did Morrisons know, Skelton copied the data of all 120,000 individuals from his work laptop, and then in January 2014, he disclosed much of this data online, on a file-sharing website. Subsequently, he anonymously sent a CD containing the data to three different newspapers, pointing out this data was available on the web, on the day Morrisons published its annual financial results so as to maximise damage to the company. Two of the newspapers made Morrisons aware of this and the supermarket chain then immediately contacted the Police and tried to get the website taken down.
The data of just under 100,000 Morrisons employees were affected by the online disclosure, which was not only unlawful but criminal. The personal information published online included names, addresses, bank account details and salary information.
In an attempt to not get caught, Skelton uploaded the data to the file-sharing website at home, used a ‘burner’ phone and a false email address, hoping to frame a fellow employee. He also used ‘The Onion Router’ to disguise his computer as it connected to the internet. Skelton later admitted he did it to punish his employer for disciplining him earlier on in 2013.
Despite going to great lengths to avoid getting caught, he was found out and arrested. Skelton was prosecuted and sentenced to eight years in prison under the Data Protection Act 1998 and Fraud Act 2006.
Morrisons Group Litigation
After Skelton’s prosecution a group of 9,263 current and former Morrisons employees, whose data was affected by the online disclosure, mounted a group action case against Morrisons. They all said they had suffered distress as a result of the breach of their private data, and that Morrisons should be held liable for damages of this distress for breach of statutory duty under the Data Protection Act, either directly or vicariously. Had these claimants been successful, Morrisons would potentially have to pay out on claims from all the 120,000 employees who had their data exposed.
The High Court Ruling
The High Court dismissed the claim that Morrisons was directly liable for the disclosure. This was on the grounds that the disclosure was not done on Morrisons’ behalf and was not down to Morrisons’ failure to apply appropriate security measures to its payroll data, therefore Morrisons could not be held directly liable for any harm or distress caused by this disclosure. However, the High Court did find that Morrisons could be held liable on a vicarious basis.
The High Court ruled that the case satisfied the two-stage test. Firstly, there was a relevant relationship between Skelton and Morrisons – one of employment. Secondly, the tort (misuse of private information) was sufficiently closely connected with that employment. Mr. Justice Langstaff found that “an unbroken thread linked his work to the disclosure.”
Morrisons took this to the Court of Appeal, and they dismissed the appeal, agreeing with The High Court judgment. Lawyers for Morrisons argued the firm was “entirely blameless” and would be exposed to “compensation claims on a potentially vast scale” if the ruling stood.
The Supreme Court Judgement
Unwilling to accept this, Morrisons appealed against the Court of Appeal’s judgment and the case was taken to the Supreme Court. The Supreme Court has now unanimously come to the conclusion that Morrisons could not be held liable on a vicarious basis. This was on the basis that vicarious liability was not established on the facts. When Skelton affected his criminal act of disclosing the data online, he was not acting “in the course of his employment” and was “not engaged in furthering Morrisons’ business but was pursuing a personal vendetta” therefore vicarious liability could not be imposed on Morrisons.
The Supreme Court held that the Court of Appeal has misunderstood the principles governing vicarious liability.
- Firstly, they noted an employer will not be liable for an employee’s wrongful act where this act was not helping to further the employer’s business but was actually a deliberate act to harm the employer as part of a personal vendetta.
- Secondly, the employee’s actions in causing the data breach were not within the “field of activities” of the employee. This meant that his actions were not so closely connected with his job that they can be fairly regarded as made whilst acting in the ordinary course of his employment.
- Thirdly, a temporal/or causal link is not enough. The fact his employment gave him the opportunity to commit this crime is not sufficient to warrant a ruling of vicarious liability.
In a statement, the supermarket said: “We are pleased that the Supreme Court has agreed that Morrisons should not be held vicariously liable for his (Skelton’s) actions when he was acting alone, to his own criminal plan, and he’s been found guilty of this crime and spent time in jail.”
Even though Morrisons succeeded on the argument that they should not be held vicariously liable for this data breach, they lost the argument that the Data Protection Act 1998 (DPA) operated to exclude vicarious liability as a whole. This argument was rejected and as the Supreme Court neatly put it “the DPA is silent about the position of a data controllers’ employer”. Due to the fact the DPA was silent about this issue, there was no basis to conclude that they had excluded vicarious liability completely.
This ruling has provided some much-needed clarity on the potential scope of vicarious liability in data breach cases. It has not set aside the possibility of employers being found vicariously liable in these cases. Analysis in future cases under GDPR is unlikely to differ from that which the Supreme Court applied under the DPA. It is clear that in rogue employee data cases, the facts of the case matter enormously, and with the right facts a vicarious liability ruling could still be imposed. It is also clear from this judgment that just because an employer entrusts a rogue employee with data, this is not by itself sufficient to warrant a ruling of vicarious liability.
Although this ruling was likely warmly welcomed by employers and their insurers throughout the UK, the Supreme Court has still left the door open for class actions to be brought under the DPA, and likely GDPR, if an employer is held vicariously liable for a data breach. This was a landmark judgment in both the data protection and employment fields and will likely have far-reaching ramifications. The outcome, however, does not affect any of our current data protection claims cases, as in these instances the companies were directly liable for the breach of personal data.
If you have been the victim of a data breach, you could be entitled to claim compensation. HNK Solicitors have a specialist team of data protection claims solicitors who can help you secure the compensation you deserve. For more information or to discuss your data protection claim contact HNK Solicitors on 0151 668 0809 or firstname.lastname@example.org.