The Supreme Court has handed down its judgment in the case of Wm Morrison Supermarkets Plc (Morrisons) v Various Claimants, overturning the previous decisions of the High Court and the Court of Appeal and ruling in favour of the supermarket giant.
The issue for the Supreme Court to decide was whether Morrisons, as an employer, was vicariously liable for the act of one if its employees (Andrew Skelton), who deliberately disclosed his co-workers’ personal data on the internet.
What is vicarious liability?
Under the law of torts, an employer will be vicariously liable for wrongs committed by its employees where there is a sufficient connection between the employment and the act of wrongdoing.
In determining whether the employer is liable, a Court will ask the following two questions:
- Is the relationship between the wrongdoer and the person/company alleged to be liable, one that is capable of giving rise to vicarious liability?
- Is the connection between the employment and the wrongful act so close that it would be just and reasonable to impose liability?
It is well established that the employer-employee relationship is one capable of giving rise to vicarious liability. However, there has been much debate over the years concerning the second stage of the test and much will depend on the specific circumstances and facts of the case.
Morrisons v Various Claimants
Mr Skelton worked for Morrisons as an internal IT auditor.
He developed a grudge against the supermarket after being served with a verbal warning for minor misconduct. As part of his role, he was asked to provide payroll data for the entire workforce to external auditors.
Mr Skelton copied the personal data, including payroll data of c.100,000 employees onto a USB stick. He then took the stick home and, instead of sending the data to the supermarket’s auditors, decided to publish this on the internet, using a colleague’s details in an attempt to conceal his actions. He also sent the data to three national newspapers, purporting to be a concerned member of the public.
Morrisons spent millions of pounds dealing with the fallout from the data breach and Mr Skelton was ultimately convicted of criminal offences, including an offence under the Data Protection Act 1998.
Over 9,000 of the employees whose data had been disclosed brought a claim against Morrisons alleging, amongst other things, that Morrisons was vicariously liable for Mr Skelton’s actions.
High Court proceedings
The High Court found that Morrisons was vicariously liable for Mr Skelton’s actions because there was a sufficient connection between the position in which Mr Skelton was employed and his wrongful conduct.
Morrisons appealed the High Court decision, arguing that Mr Skelton’s wrongful acts did not take place during the course of his employment.
Court of Appeal proceedings
The Court of Appeal dismissed the appeal, finding that the High Court had correctly concluded that Mr Skelton’s actions at work and the disclosure on the internet constituted a seamless and continuous sequence of events and therefore Morrisons was vicariously liable. Mr Skelton was entrusted with the payroll data and instructed to send that data to third parties as part of his role. They held that the motive for an employee’s act was irrelevant, and the fact that Mr Skelton was trying to harm Morrisons because of his personal vendetta against them did not prevent them from being vicarious liable.
Morrisons then appealed to the Supreme Court.
Supreme Court proceedings
The Supreme Court undertook a comprehensive review of the laws relating to vicarious liability and overturned the previous decisions, ruling that Morrisons could not be held liable for the actions of Mr Skelton.
They held that although there was a close link and an unbroken chain of causation linking the provision of data to Mr Skelton and him disclosing it on the internet, this did not satisfy the close connection test.
Mr Skelton was not furthering his employer’s business when he published the data on the internet. In this instance, the Supreme Court found that the reason why Mr Skelton had acted wrongfully was relevant and that there was no vicarious liability as Mr Skelton was “on a frolic of his own”. In circumstances, such as this, where the actions of an employee is one of ‘personal vengeance’, they are in no way acting in the business interests of the employer. As such, Morrisons was not vicariously liable for the actions of Mr Skelton.
Although the facts of this case were extreme, employers can be reassured that they will not always be liable for data breaches committed by maverick employees.