Employer vicariously liable for rogue employee’s data breach
28 November 2018
An employer was held by the Court of Appeal to be vicariously liable for a rogue employee’s deliberate and criminal disclosure of the personal data of other employees. This was despite the employee’s aim being to harm the employer – rather than for any personal gain or to injure third parties – and the fact that the employer had not itself breached data protection legislation. The retailer has said it will seek permission to appeal to the Supreme Court: WM Morrison Supermarkets PLC v Various Claimants  EWCA Civ 2339
This group litigation followed the intentional disclosure by a disgruntled rogue employee, Mr Skelton, of the personal details of nearly 100,000 employees. As part of his job, Skelton had been given access to payroll data in order to provide it to the employer’s auditors. However, he copied that data, whilst at work, onto a personal USB stick and posted it onto a file-sharing website. Skelton was convicted and charged with fraud and offences under the Data Protection Act 1998 (DPA) and the Computer Misuse Act 1990. Around 5500 employees brought this claim for damages for the misuse of private information, breach of confidence and breach of statutory duty under the DPA.
This appeal related only to vicarious liability. The first instance finding that Morrisons bore no primary liability stands.
Although the case was decided under the DPA, the principles are equally applicable under the Data Protection Act 2018 and the GDPR.
DPA does not exclude vicarious liability
The employer had to show that the DPA excluded vicarious liability for breach of statutory duty under the DPA and at common law (for misuse of private information and breach of confidence). It argued that the DPA is a comprehensive code for data breaches of this kind and so excludes any vicarious liability for the wrongful processing of data by an employee. The court disagreed holding that vicarious liability is not confined to common law wrongs: it applies equally to breaches of statutory duty, provided the statute does not state otherwise because:
1. If Parliament had intended such a “substantial eradication” of common law rights, it would have expressly stated so.
2. Although the argument was all about vicarious liability, the employer had to accept that primary liability for the misuse of private information and breach of confidentiality is not excluded by the DPA. The court viewed this as inconsistent with one of the main objects of the DPA (the protection of privacy and the provision of an effective remedy).
3. The DPA does not overlap with common law; it is only concerned with the primary liability of the data controller (whom both parties accepted was Skelton and not the employer) and there are no provisions in the DPA addressing the situation of an employer whose employee data controller breaches it.
Test for vicarious liability satisfied
Having decided that the DPA did not exclude vicarious liability, the court applied a two-stage test to decide whether the employer was vicariously liable. The test is based on the Supreme Court’s decision in Mohamud v WM Morrison Supermarkets plc  UKSC 11.
Stage 1: ascertaining the ‘field of activities’ of the employee
The employer had entrusted Skelton with its payroll data: his role was to receive it, store it and to disclose it to a third party (the auditor). The court determined that the fact he chose to disclose it to other (unauthorised) third parties was “nonetheless closely related to what he was tasked to do”.
Stage 2: whether there is a sufficient connection between the employee’s field of activity and the wrongful conduct
Sufficient connection is usually found where the employee uses or misuses the position entrusted to him thereby injuring a third party; the court concluded that since the employer selected the employee it is right under principles of social justice that the employer should be responsible.
The employer argued that there was insufficient connection because the unlawful disclosure by Skelton had been done at home, on his own computer, outside of working hours, and several weeks after he had originally downloaded the data. The court disagreed holding that:
− The claimants’ cause of action was already established when Skelton was at work when he improperly downloaded the data, rather than when he subsequently disclosed it online.
− Vicarious liability does not only apply if the employee is “on the job”; although the time and place when the relevant act occurred are relevant, they are not conclusive. The court referred to numerous cases in which employers had been vicariously liable for torts committed away from the workplace, including Bellman v Northampton Recruitment Ltd  EWCA Civ 2214 (discussed below).
− It approved the trial judge’s findings on sufficient connection:
− an unbroken thread linked Skelton's employment to the disclosure as a “seamless and continuous sequence of events”;
− the employer intentionally entrusted Skelton with the data during the course of his employment; and
− the employer tasked Skelton with receiving, storing and disclosing the data; therefore his actions (albeit unlawful) were closely related to the task he was given.
Employee’s motive irrelevant
Since Skelton's intention was to harm Morrisons, rather than benefit himself or injure a third party, the retailer argued that, if it were found vicariously liable, this would render the court an accessory in furthering Skelton's criminal aims. The court disagreed holding that the employee’s motive is irrelevant and an intention to cause financial or reputational harm to the employer was no exception and could not prevent a finding of vicarious liability.
Vicarious liability for torts committed away from the workplace
A differently constituted Court of Appeal handed down its judgment in Bellman just under a fortnight before the appeal in this case. In Bellman, the defendant company, Northampton Recruitment, was held to be vicariously liable for an assault committed by its managing director, Mr Major, on another employee after a work Christmas party. Mr Major was held to be still acting as Managing Director at a separate drinking session, which took place after the Christmas party and was where the assault occurred, rather than as a “mere reveller”. The judgment, whilst recognising that the facts giving rise to vicarious liability were unusual, provides a useful analysis as to how vicarious liability can play out away from the workplace.
Implications for employers
The starkness of this case for employers is that Morrisons was not primarily liable under the DPA and the Information Commissioner’s Office (ICO) had decided that no enforcement action against Morrisons was necessary. Nonetheless it was still held to be vicariously liable for the actions of an employee acting out of malice.
The court was not swayed by the impact of placing this burden on an ‘innocent’ employer; it was more concerned that victims would otherwise be left with no remedy except against the individual employee, adding that the solution is for employers to insure against such losses. However, the likely premium for this type of insurance cover may well make it prohibitively expensive, especially when customer data is taken into account.
As noted above, this case was decided under the DPA. However, the principles of vicarious liability would be the same in respect of the Data Protection Act 2018 and the GDPR. Indeed, it is possible we may see more group litigation claims due to increased data subject awareness and the fact the GDPR actively encourages group claims for data breaches.
Morrisons are seeking leave to appeal to the Supreme Court.
This case summary is part of the Allen & Overy Litigation and Dispute Resolution Review, a monthly publication. If you wish to receive this publication, please contact Amy Edwards, firstname.lastname@example.org.