Longer Reads

WM Morrisons Supermarkets plc v Various Claimants – Supreme Court hands down decision

The Supreme Court has handed down its Judgment in this high profile case in which Morrisons appealed previous findings of vicarious liability for a malicious data breach carried out by an ex-employee.

3 minute read

Published 2 April 2020

Authors

Share

Key information

  • Specialisms
  • Business
  • Dispute Resolution
  • Services
  • Data Protection
  • Employment law for employers

The Supreme Court has handed down its Judgment in this high profile case in which Morrisons appealed previous findings of vicarious liability for a malicious data breach carried out by an ex-employee. The appeal also concerned whether the Data Protection Act 1998 excludes the imposition of vicarious liability for either statutory or common law wrongs.

The Supreme Court unanimously allowed Morrisons’ appeal, overturning the decisions of the lower courts, with Lord Reed giving the only substantive Judgment.

Facts

The Appellant operates the Morrisons supermarket chains. It employed Andrew Skelton as an internal auditor. Mr Skelton had previously received a verbal warning following disciplinary proceedings and had developed a grievance against his employer as a result.

In November 2013, Mr Skelton was asked to transmit payroll data from the company to its external auditors, KPMG. In doing so, he made and kept a personal copy of the data on a personal USB stick. The file included the data of 99,998 Morrisons employees. Mr Skelton later uploaded this data to a publicly accessible filesharing website and sent a link to this information to three major newspapers. One of the newspapers contacted the Appellant, which was how the data breach was discovered.

Mr Skelton was later prosecuted and is now in prison. The Respondents to the Appeal were 9,263 of the affected employees, who sued the Appellant on the basis that it was vicariously liable for Skelton’s acts.  Their claims were for breach of statutory duty under the Data Protection Act 1998, misuse of private information and breach of confidence.

The Appellant was found to be vicariously liable on each basis claimed at both first instance and at the Court of Appeal. The Appellant, therefore, appealed to the Supreme Court.

Judgment

Vicarious liability

It was held that the courts below had mistakenly applied a key authority on vicarious liability (Mohamud v WM Morrison Supermarkets plc [2016] UKSC 11). In his Judgment, Lord Reed stated that the decision in the Mohamud case “was not intended to effect a change in the law on vicarious liability: quite the contrary”.  He found that the courts below had focused on the final paragraphs of the judgment which, taken out of context, had wrongly been treated as establishing legal principles.

Lord Reed’s Judgment said that the Mohamud case never held that the motivation of the employee was irrelevant, as had previously been decided by the lower courts. The Judgment also found that the Mohamud case decided vicarious liability on the basis of the capacity in which the employee was acting, not the temporal and causal connections, as the lower courts had erroneously understood.

Whilst providing a comprehensive summary of the law on vicarious liability, Lord Reed explained that that the existing “close connection” test was the correct test to be applied by the courts. This means that the court must determine whether the wrongful conduct of the employee was so closely connected with the acts that the employee was authorised to do in the ordinary course of his employment (also known as the employee’s “field of activities”) that it could fairly and properly be regarded as made while acting in the ordinary course of his employment. Where a sufficient connection exists between the wrongful act and the employee’s field of activities, the employer could be held liable for the employee’s actions.

In the present case, the disclosure of data online was not part of Mr Skelton’s field of activities as it was not something that he was authorised to do. Further, the fact that there was a close temporal link and an unbroken chain of causation between the provision of the data to Mr Skelton to send to KPMG and his disclosing it online, this in itself did not satisfy the close connection test. The mere fact that Mr Skelton’s employment had given him the opportunity to commit the wrongful act did not warrant a finding of vicarious liability.

Whether the Data Protection Act 1998 excludes the imposition of vicarious liability for statutory wrongs, misuse of private information and breach of confidence

Lord Reed held that, in the light of the court’s findings on vicarious liability, it was not necessary for the court to consider this issue. However, it was desirable that the court expressed a view on it.

The Court’s view is that imposing statutory liability on a data controller like Mr Skelton is not inconsistent with a concurrent finding of vicarious liability at common law against the employer, whether for breach of the statutory duties under the Data Protection Act 1998 or for a common law or equitable wrong. This is because the Data Protection Act is silent about a data controller’s employer.

Analysis

The decision will be welcomed by employers that have no culpability in a mass data breach of this kind, as they are no longer liable to pay compensation to those whose data had been leaked to the public. However, it leaves victims of mass data breaches of this type with no real remedy or compensation for the exposure of their personal data to the public.

In relation to the decision regarding the Data Protection Act 1998, the comments are obiter dicta (and thus not legal authority in future cases). Further, the decision concerns the old regime, which has since replaced by the Data Protection Act 2018. However, the comments are likely to be persuasive in future decisions concerning mass data breaches of this kind.

The decision should not be taken by employers as a blanket exemption from vicarious liability in these situations. Morrisons had strong compliance in place in relation to the protection of employee data, which was only exposed as a result of an employee’s vendetta against the company. Employers should therefore ensure that they have proper security, policies and safeguards in place to ensure that they are protected, to the greatest possible extent, against liability in the context of malicious data breaches.

Message us on WhatsApp

Related latest updates
PREV NEXT

Related content

Arrow Back to Insights

Longer Reads

WM Morrisons Supermarkets plc v Various Claimants – Supreme Court hands down decision

The Supreme Court has handed down its Judgment in this high profile case in which Morrisons appealed previous findings of vicarious liability for a malicious data breach carried out by an ex-employee.

Published 2 April 2020

Associated sectors / services

Authors

The Supreme Court has handed down its Judgment in this high profile case in which Morrisons appealed previous findings of vicarious liability for a malicious data breach carried out by an ex-employee. The appeal also concerned whether the Data Protection Act 1998 excludes the imposition of vicarious liability for either statutory or common law wrongs.

The Supreme Court unanimously allowed Morrisons’ appeal, overturning the decisions of the lower courts, with Lord Reed giving the only substantive Judgment.

Facts

The Appellant operates the Morrisons supermarket chains. It employed Andrew Skelton as an internal auditor. Mr Skelton had previously received a verbal warning following disciplinary proceedings and had developed a grievance against his employer as a result.

In November 2013, Mr Skelton was asked to transmit payroll data from the company to its external auditors, KPMG. In doing so, he made and kept a personal copy of the data on a personal USB stick. The file included the data of 99,998 Morrisons employees. Mr Skelton later uploaded this data to a publicly accessible filesharing website and sent a link to this information to three major newspapers. One of the newspapers contacted the Appellant, which was how the data breach was discovered.

Mr Skelton was later prosecuted and is now in prison. The Respondents to the Appeal were 9,263 of the affected employees, who sued the Appellant on the basis that it was vicariously liable for Skelton’s acts.  Their claims were for breach of statutory duty under the Data Protection Act 1998, misuse of private information and breach of confidence.

The Appellant was found to be vicariously liable on each basis claimed at both first instance and at the Court of Appeal. The Appellant, therefore, appealed to the Supreme Court.

Judgment

Vicarious liability

It was held that the courts below had mistakenly applied a key authority on vicarious liability (Mohamud v WM Morrison Supermarkets plc [2016] UKSC 11). In his Judgment, Lord Reed stated that the decision in the Mohamud case “was not intended to effect a change in the law on vicarious liability: quite the contrary”.  He found that the courts below had focused on the final paragraphs of the judgment which, taken out of context, had wrongly been treated as establishing legal principles.

Lord Reed’s Judgment said that the Mohamud case never held that the motivation of the employee was irrelevant, as had previously been decided by the lower courts. The Judgment also found that the Mohamud case decided vicarious liability on the basis of the capacity in which the employee was acting, not the temporal and causal connections, as the lower courts had erroneously understood.

Whilst providing a comprehensive summary of the law on vicarious liability, Lord Reed explained that that the existing “close connection” test was the correct test to be applied by the courts. This means that the court must determine whether the wrongful conduct of the employee was so closely connected with the acts that the employee was authorised to do in the ordinary course of his employment (also known as the employee’s “field of activities”) that it could fairly and properly be regarded as made while acting in the ordinary course of his employment. Where a sufficient connection exists between the wrongful act and the employee’s field of activities, the employer could be held liable for the employee’s actions.

In the present case, the disclosure of data online was not part of Mr Skelton’s field of activities as it was not something that he was authorised to do. Further, the fact that there was a close temporal link and an unbroken chain of causation between the provision of the data to Mr Skelton to send to KPMG and his disclosing it online, this in itself did not satisfy the close connection test. The mere fact that Mr Skelton’s employment had given him the opportunity to commit the wrongful act did not warrant a finding of vicarious liability.

Whether the Data Protection Act 1998 excludes the imposition of vicarious liability for statutory wrongs, misuse of private information and breach of confidence

Lord Reed held that, in the light of the court’s findings on vicarious liability, it was not necessary for the court to consider this issue. However, it was desirable that the court expressed a view on it.

The Court’s view is that imposing statutory liability on a data controller like Mr Skelton is not inconsistent with a concurrent finding of vicarious liability at common law against the employer, whether for breach of the statutory duties under the Data Protection Act 1998 or for a common law or equitable wrong. This is because the Data Protection Act is silent about a data controller’s employer.

Analysis

The decision will be welcomed by employers that have no culpability in a mass data breach of this kind, as they are no longer liable to pay compensation to those whose data had been leaked to the public. However, it leaves victims of mass data breaches of this type with no real remedy or compensation for the exposure of their personal data to the public.

In relation to the decision regarding the Data Protection Act 1998, the comments are obiter dicta (and thus not legal authority in future cases). Further, the decision concerns the old regime, which has since replaced by the Data Protection Act 2018. However, the comments are likely to be persuasive in future decisions concerning mass data breaches of this kind.

The decision should not be taken by employers as a blanket exemption from vicarious liability in these situations. Morrisons had strong compliance in place in relation to the protection of employee data, which was only exposed as a result of an employee’s vendetta against the company. Employers should therefore ensure that they have proper security, policies and safeguards in place to ensure that they are protected, to the greatest possible extent, against liability in the context of malicious data breaches.

Associated sectors / services

Authors

Need some more information? Make an enquiry below.

    Subscribe

    Please add your details and your areas of interest below

    Specialist sectors:

    Legal services:

    Other information:

    Jurisdictions of interest to you (other than UK):

    Article contributor

    Enjoy reading our articles? why not subscribe to notifications so you’ll never miss one?

    Subscribe to our articles

    Message us on WhatsApp

    Please note that Collyer Bristow provides this service during office hours for general information and enquiries only and that no legal or other professional advice will be provided over the WhatsApp platform. Please also note that if you choose to use this platform your personal data is likely to be processed outside the UK and EEA, including in the US. Appropriate legal or other professional opinion should be taken before taking or omitting to take any action in respect of any specific problem. Collyer Bristow LLP accepts no liability for any loss or damage which may arise from reliance on information provided. All information will be deleted immediately upon completion of a conversation.

    I accept Close

    Close
    Scroll up
    ExpandNeed some help?Toggle

    Get in touch

    Get in touch using our form below.