Morrisons Supermarkets are breathing a sigh of relief since the Supreme Court ruling that they are not vicariously liable for a deliberate data breach by a disgruntled ex-employee who exposed personal data of almost 100,000 of its employees. Vicarious Liability is when an employer is held responsible for something done by an employee in the course of their employment.
In WM Morrison Supermarkets plc v Various Claimants [2020] the Supreme Court considered the circumstances in which an employer is vicariously liable for the conduct of its employees and whether the Data Protection Act 1998 (DPA 1998)excluded Vicarious Liability for such claims.
So, what happened?
Andrew Skelton was a senior internal IT auditor in Morrisons’ internal audit team. He was disciplined in July 2013 for minor misconduct and was given a verbal warning which led to him holding a grudge against Morrisons.
Morrisons’ accounts are subject to an annual external audit. In preparation for the audit, KPMG requested payroll data from Morrisons to test their accuracy. The head of Morrisons’ internal audit team delegated the task of collating and transmitting the data to Andrew Skelton. To enable him to carry out the task, he was given access to the payroll data of Morrisons’ entire workforce which is around 126,000 employees. These included the name, address, gender, date of birth, phone numbers, national insurance number, bank sorting code, bank account number and salary of each member of staff. .
He copied the data from his work laptop on to a personal USB stick. He used the username and date of birth of his colleague Andrew Kenyon, to create a false email account, in a deliberate attempt to frame him. Mr Kenyon had been involved in the disciplinary proceedings earlier that year. The email account was linked to a pay-as-you-go phone. He then deleted the data from his work laptop.
On 12 January 2014 Andrew Skelton uploaded a file containing the data of 98,998 of the employees to a publicly accessible file-sharing website, with links to the data posted on other websites. On 13 March 2014, the day on which Morrisons’ financial results were due to be announced, Skelton sent CDs containing the file anonymously to three UK newspapers. He said he was a concerned member of the public who had found the file on the file-sharing website. The newspapers did not publish the data and alerted Morrisons.
Within a few hours, Morrisons had taken steps to ensure that the data was removed from the Internet, instigated internal investigations, and informed the police. It also informed its employees and undertook measures to protect their identities. Andrew Skelton was arrested a few days later. He was subsequently convicted of a number of offences and sentenced to eight years’ imprisonment. Morrisons spent more than £2.26m dealing with the immediate aftermath of his actions. A significant element of that sum was spent on identity protection measures for its employees.
In a first case of this kind, 9,263 employees whose personal data had been disclosed, sued Morrisons for damages for breach of the Data Protection Act 1998, misuse of private information, and breach of confidence by Mr Skelton, claiming that Morrisons was vicarious liable for his actions.
In the High Court
The High Court said that Morrisons were not directly liable under DPA 1998 but they were vicariously liable for the data breach. They were not directly liable because Andrew Skelton had acted independently from his employer and in doing so, he became the data controller who breached the Data Protection Act. However, Morrisons was vicariously liable for Skelton’s breach of statutory duty under DPA 1998, his misuse of private information, and his breach of his duty of confidence.
The Court said that Morrisons had trusted Skelton to deal with confidential information, and took the risk that it might be wrong in placing that trust in him. His role in respect of the payroll data was to receive and store it, and to disclose it to a third party. That in essence was his task. The fact that he disclosed it to others than KPMG was not authorised, but was nonetheless closely related to what he was tasked to do.
In the Court of Appeal
Morrisons appealed to the Court of Appeal which agreed with the High Court that they were vicariously liable for Andrew Skelton’s wrongdoing. They said that his actions in sending the claimants’ personal data to third parties were within the field of activities assigned to him by Morrisons. Even though Andrew Skelton’s motive in disclosing the personal data was to harm his employer, the Court said that motive was irrelevant.
In the Supreme Court
The Supreme Court disagreed with the High Court and Court of Appeal and said that employers will not be liable for an employee’s wrongful act where that act is not engaged in furthering the employer’s business, and is an effort to deliberately harm the employer as part of a vendetta. For that reason, Morrisons was not vicariously liable for the actions of Andrew Skelton.
And the moral of the story is…?
1. An employee who purposefully and vindictively breaches Data Protection laws will go to jail.
2. Employers are not vicariously liable for an employee’s wrongful act where that act is not engaged in furthering the employer’s business.