Supreme Court finds Morrisons not vicariously liable for mass data breach caused by employee

Written on 1 Apr 2020

In a judgment handed down on 1 April 2020, the Supreme Court has reversed the decision of the Court of Appeal and found that Morrisons was not vicariously liable for the actions of a rogue employee who posted payroll data of 100,000 other employees on a file-sharing website.

This decision is good news for compliant businesses that nevertheless come under fire as a result of data breaches and other acts perpetrated by malicious employees.

Nevertheless, the Supreme Court left open the possibility of an employer being vicariously liable for data breaches perpetrated by an employee data controller in other circumstances.

What was the claim about?

In March 2014, it came to Morrisons’ attention that a file containing personal data relating to 99,998 employees had been posted to a file-sharing website. The file contained information including names, dates of birth, addresses, national insurance numbers, and bank sort codes and account numbers. It soon became apparent that the file was posted by a senior IT auditor, who had access to the data when he was tasked with delivering it to Morrisons’ external auditors on a USB stick.

The individual had been harbouring a grudge against Morrisons stemming from a previous disciplinary issue, and took the opportunity to copy the data from the USB stick and post it online. The individual was arrested and subsequently sentenced to eight years imprisonment for offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (DPA).

The claim was initially brought by 5,518 of the employees whose data had been included in the file, a group that subsequently expanded to 9,263 by the time of the Supreme Court hearing.

The Court of Appeal, upholding the High Court's decision, found that, despite Morrisons having taken appropriate technical and organisational measures to protect the data, it was vicariously liable for the actions of the individual. Although the act of uploading the file had taken place outside work hours and premises, there was “an unbroken thread that linked his work to the disclosure: what happened was a seamless and continuous sequence of events”. It was relevant that the individual had been entrusted with the data, not merely given access rights to it. His task was to store the data and disclose it to a third party. What he had done was not what he was authorised to do, but was closely related to the task he was entrusted to perform. It did not matter that his motive was a personal one.

Morrisons appealed to the Supreme Court, which was asked to consider:

  • whether Morrisons was vicariously liable for the individual’s conduct; and
  • if so, whether the DPA excludes the imposition of vicarious liability for (a) statutory torts committed by an employee data controller under the DPA and (b) misuse of private information and breach of confidence.

What did the court decide?

Vicarious liability

The Supreme Court dismissed the reasoning of the Court of Appeal and considered the position afresh, finding that the High Court and the Court of Appeal had misunderstood the existing authority on vicarious liability. In particular, the Court of Appeal appeared to have taken Lord Toulson's comment in the case of Mohamud v WM Morrisons Supermarkets plc [2016] UKSC 11 that "motive is irrelevant" out of context. On the contrary, the Supreme Court considered that "whether he was acting on his employer’s business or for purely personal reasons was highly material".

The key question, applying the established test, was whether the individual’s disclosure of the data was so closely connected with acts he was authorised to do that, for the purposes of the liability of his employer to third parties, his wrongful disclosure may fairly and properly be regarded as done by him while acting in the ordinary course of his employment.

Their Lordships found that the mere fact that the individual’s employment gave him the opportunity to commit the wrongful act would not be sufficient to warrant the imposition of vicarious liability. They reasoned that: "In the present case, it is abundantly clear that [the employee in question] was not engaged in furthering his employer’s business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings some months earlier."

Morrisons could not, therefore, be vicariously liable for the actions of the individual.

Whether the DPA excludes vicarious liability

Having concluded that the necessary conditions for the imposition of vicarious liability did not exist, it was not strictly necessary for the Court to go on to consider this issue. However, the Court elected to do so.

The Court found that, since the DPA neither expressly nor impliedly indicates otherwise, imposing statutory liability on the employee as a data controller was not inconsistent with the co-existence of potential vicarious liability of employers at common law, whether for a breach of the DPA or for a common law or equitable wrong. Vicarious liability was not, therefore, excluded by the DPA.

Osborne Clarke comment

The decision is good news for employers, particularly in the context of their potential liability for data breaches. It reaffirms that where employers can demonstrate that they have complied with their own obligations as a data controller, they will not be liable for the acts of employees that are carried out for their own personal motives outside of their duties.

However, the risk of vicarious liability remains. Employers need to be especially vigilant of the roles of responsibility of those entrusted to access and protect personal data and keep such privileges under constant review, particularly if employees fall under suspicion.

Whilst most data breaches are caused by external attacks or inadvertent human error, deliberate thefts or leaks of data by employees are increasingly common, and we have seen the Information Commissioner's Office becoming more active in the criminal prosecution of such actors. .

This case highlights the significant costs to business of such actions by rogue employees. Morrisons had spent more than £2.26m in dealing with the immediate aftermath of the disclosure, a significant part of which was spent on identity protection measures for its employees. Even where there is no finding of any wrongdoing by a data controller, the costs can be enormous where an employee acts maliciously, or even negligently, in the course of their duties.