Data Breach and Vicarious Liability

In a landmark case, the UK Supreme Court has ruled that supermarket chain Morrisons is not vicariously liable for a deliberate data breach committed by a former rogue employee, who driven by a grudge against the company, took payroll data relating to 100,000 employees and published it online.

The decision shows that an employer is unlikely to be liable for a malicious data breach committed by an employee, where his/her wrongful conduct is not closely connected with his/her tasks at work.

Background

A disgruntled employee of Morrisons, leaked the personal details of almost 100,000 employees on the internet. Mr Skelton was a senior IT auditor and had been motivated by a grudge against Morrisons.

In a class action suit, over 5,5000 employees sued Morrisons for compensation for loss caused by the data breach, including non-pecuniary loss such as distress. The High Court concluded that Morrisons was not directly liable for the breach, which it had not authorised or required, and it was not the “data controller” at the time of the breach.

It said that Morrisons had put in place adequate and appropriate controls and there was no indication that Mr Skelton, although upset by recent disciplinary action, could not be trusted to do his job. However, the judge found that Morrisons was vicariously liable for the breach – and they appealed against that decision.

The Court of Appeal dismissed the subsequent appeal made by Morrisons. The Court of Appeal agreed with the High Court that it is possible for an employer to be held vicariously liable for breaches by an employee of the data protection legislation.

Supreme Court decision

The Supreme Court unanimously allowed the appeal, finding that Morrisons was not vicariously liable for the data breach. It ruled that the High Court and Court of Appeal had misunderstood the principles governing vicarious liability, and in particular the “close connection” test. The test applicable to vicarious liability is: the wrongful conduct must be so closely connected with acts the employee was authorised to do that, for the purposes of the liability of the employer to third parties, it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment.

The Supreme Court clarified the following points:

· Field of activities: uploading personal data online was not part of the employee’s “field of activities”, as Mr Skelton was not authorised to do so

· Sufficient connection: a causal connection alone does not satisfy the close connection test

· It is highly relevant whether an employee is acting on their employer’s business, or if it is for purely personal reasons

The Supreme Court held that no vicarious liability arose because Mr Skelton was authorised to transmit payroll data to the auditors, and not to upload the personal date online. His online disclosure was not so closely connected to that task that it could be regarded as having been made in the course of his employment.

Our comments

This Supreme Court’s decision has significant implications for employers who feared that this case would set a precedent for future class actions arising out of data breaches by rogue employees. It offers some reassurance to employers, that although employment may provide an opportunity to commit a wrongful act, this is not of itself sufficient to make an employer vicariously liable for such an act.

Written by Hasnath Ahmed, Solicitor