Supreme Court – Morrisons’ employee data breach case resolved

Published on Thu, 09/04/2020 - 14:25

In WM Morrison Supermarkets PLC v Various Claimants, the courts have explored where liability falls when an employee commits a data breach. Law firm BLM provides a breakdown of the result and what it means for Airmic members.

The facts

Mr Skelton, a senior IT internal auditor employed by Morrisons, received a verbal warning following his unauthorised use of Morrisons’ postal facilities for private purposes. Move on a few months and Morrisons’ external auditors requested a copy of its payroll data. Skelton was involved as this fell within the scope of his responsibilities. Having copied the data onto a USB stick he later posted a file containing the personal details of almost 100,000 Morrisons’ employees on to a file sharing website. Skelton was identified as the party responsible and was convicted of criminal offences.

The claimants in this group action (now more than 9,000 in number) were Morrisons’ employees whose personal details had been revealed by the breach. They pursued claims for misuse of private information, breach of confidence and breach of the Data Protection Act 1998 (“the DPA”) – this incident having predated the enactment of the GDPR. The claimants contended that Morrisons was primarily liable in these claims but if not it was vicariously liable for its rogue employee’s actions.       

The Supreme Court decision

The Supreme Court unanimously overturned the judgment below. In essence two issues needed to be considered;

(i)    what acts the employee was authorised to do

(ii)   whether there was a sufficiently close connection between the position in which the individual was employed and the wrongful conduct to make it right for the employer to be held liable.

And as for (ii) the Supreme Court said that it had to decide whether the wrongful conduct was so closely connected with acts the employee was authorised to do that, for the purposes of the liability of his employer, it might be fairly and properly regarded as done by the employee while acting in the ordinary course of his employment.

In applying those principles here;

  • the disclosure of the data on the internet did not form part of Skelton’s functions and was not an act which he was authorised to do;
  • although there was a close temporal link and an unbroken chain of causation linking the provision of the data to Skelton and his disclosing it that did not in itself satisfy the close connection test;
  • the reason why Skelton acted wrongfully was highly material.

The Supreme Court concluded “…it is abundantly clear that Skelton was not engaged in furthering his employer’s business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings some months earlier.”

In the circumstances Skelton’s conduct was not so closely connected with acts that he was authorised to do that they could fairly be regarded as done by him in the ordinary course of his employment.      

What this means for you

The judgment is a welcome surprise for defendants and their insurers. The previous decisions in this case were potentially ruinous for businesses that have been exposed to liability as the result of the actions of a rogue employee out to damage them.

The court seems to have felt that the lower courts got themselves tied up in knots when the position was in fact quite simple – Skelton was “on a frolic of his own” when he disclosed the data and Morrisons should therefore not be liable for his actions.

The wider question is how useful this will be in other cases. In practical terms there may be relatively few cases where it can be said that the employee’s conduct was such that he was off on a frolic of his own and there are still many more situations where the close connection test will work in favour of the claimant. It’s a positive step for defendants but a small one.

There also remains the issue of damages. Had the Supreme Court gone the other way, the eventual damages trial would have been very helpful in drawing a useful line in the sand for quantum in claims of this nature – for now, at least, that will remain an issue for further argument.

That said the appeal in the equally-significant case of Lloyd v Google (which confirms that, subject to a de minimis threshold, civil data breach claims can be pursued without either actual financial loss or evidence of distress) has not yet been heard. Identifying where that threshold is will also be very important, especially those dealing with very modest breaches.