On April 1, 2020, the U.K. Supreme Court handed down its judgment in the case of WM Morrison Supermarkets plc v Various Claimants [2020] UKSC 12, the first class action-type claim concerning a data breach in the U.K.. In this alert, we set out the key takeaways of this important judgment, which clarified that vicarious (secondary) liability for employers can in principle apply following an unauthorised and unlawful disclosure of personal data by an employee. This is separate to the risks of primary liability for breach of the data protection laws. The case was under the Data Protection Act 1998, but the principle confirmed by the Supreme Court applies equally under the 2018 Data Protection Act that implemented the General Data Protection Regulation (GDPR).
WM Morrison Supermarkets plc (“Morrisons”), one of the largest chains of supermarkets in the U.K., faced a claim for vicarious liability for wrongdoing by an employee, who unlawfully and without authorization disclosed the personal data of nearly 100,000 individuals. Morrisons defended the claim by arguing, inter alia (a) that no vicarious liability arose on the facts in respect of the wrongful conduct of the employee in this case; and (b) that, as a matter of principle, an employer could not be vicariously liable for statutory torts committed by an employee data controller in breach of the Data Protection Act. Morrisons were unsuccessful in the lower courts, exposing them to liability for damages to the tune of a reported £55 million ($68 million). The Supreme Court, however, decided in their favour on the application of the facts to the law of vicarious liability; but at the same time, confirmed that an employer can in principle be held vicariously liable for breaches of the data protection statute committed by its employees. The implications for businesses are discussed at the end of this alert.
Facts
In November 2013, Mr. Skelton, a senior IT audit employee of Morrisons, was tasked with preparing and providing KPMG, the auditing firm, with payroll data required for the performance of the annual audit of the supermarket chain. To enable him to carry out the task, Mr. Skelton was given access to personal data relating to around 126,000 of Morrisons’ employees, including their name, address, gender, date of birth, phone number (home or mobile), national insurance number, bank account number and salary. Mr. Skelton, as it turned out, harboured a personal grudge against Morrisons following an earlier reprimand for minor misconduct at the company, and designed a “cold and calculating” plan aimed at causing Morrisons as much damage as possible. He surreptitiously copied nearly all that payroll data from his work laptop on to a personal USB stick. In January 2014, he uploaded the data onto a publicly accessible file-sharing website, and links to that website were also placed elsewhere on the web. In March 2014, he sent the file anonymously to three U.K. newspapers (who did not publish the data, alerting Morrisons instead).
The fallout of Mr. Skelton’s actions was significant. Morrisons spent more than £2.26 million ($2.8 million) dealing with the immediate aftermath of the unauthorized disclosures, mostly on implementing identity protection measures for its employees. Separately, Mr. Skelton was arrested and subsequently convicted to eight years’ imprisonment.
Claim against Morrisons and lower instances judgments
In December 2015, around 5,500 employees, whose personal data had been disclosed, brought a claim against Morrisons, after the court granted a group litigation order (the principal means of bringing a class action in the English Courts). The number of claimants subsequently increased to over 9,000. They sought damages for “distress, anxiety, upset and damage” on the grounds of alleged misuse of private information, breach of confidence and breach of statutory duty under Section 4(4) of the Data Protection Act. It was alleged that Morrisons were primarily liable under those heads of claim, or alternatively, that Morrisons carried vicarious (secondary) liability for the wrongful conduct of Mr. Skelton.
After a 10-day trial on the issue of liability only (with trial on quantum to be held later), the first instance judge rejected the argument that Morrisons were under any primary liability. He said that the company itself did not disclose the information or misuse it and, although Morrisons breached one of the principles under the Data Protection Act, that did not result in any loss suffered. However, applying the authorities that bound him, the judge (somewhat reluctantly) found that Morrisons were vicariously liable for Mr. Skelton’s wrongful actions. The judge’s concern with arriving at that decision was that it would render the court an accessory in furthering Mr. Skelton’s criminal aims, as Mr. Skelton’s motive for perpetrating the unlawful disclosure was to harm Morrisons (which a judgment against it would ultimately do).
On appeal, the Court of Appeal confirmed that Morrisons were vicariously liable, stating that the motive of the rogue employee was irrelevant. Morrisons appealed to the Supreme Court.
The Supreme Court judgment
There were two issues in front of the Supreme Court. First, whether Morrisons were vicariously liable for Mr. Skelton’s conduct under the relevant common law principles. If so, the second question was whether the Data Protection Act excluded vicarious liability for breaches of its own provisions, committed by an employee as a data controller, or for misuse of private information and breach of confidence.
Regarding the first issue on vicarious liability, after substantial consideration of the common law authorities the Supreme Court unanimously held that on the facts of this case, Morrisons were not vicariously liable for Mr. Skelton’s conduct. The Court reasoned that Mr. Skelton’s wrongful conduct was not sufficiently closely connected with acts which he was authorised to do, leading to the conclusion that his conduct could not fairly and properly be regarded as done by him while acting in the ordinary course of his employment.
As the answer to the first question was no, the second issue under the Data Protection Act did not technically arise, but the Supreme Court helpfully went ahead with expressing its view on it. The Court stated that, contrary to Morrisons’ submissions, the imposition of a statutory liability upon an employee as a data controller did not exclude the imposition of a common law vicarious liability upon his employer. Further, the Court confirmed that the conclusion was not affected by the fact that the statutory liability of a data controller under the Data Protection Act is based on a lack of reasonable care, whereas vicarious liability is not based on fault.
Key takeaways
Where companies are faced with an unauthorised disclosure following an employee’s misconduct, exposure might be two-fold: for primary liability, and now as well for vicarious liability.
Although Morrisons escaped primary liability for breach of (among other things) the 1998 Data Protection Act, the Judge did find it liable in one aspect, as it had failed to discharge its duty under the 1998 Data Protection Act to take appropriate organisational measures to guard against unlawful disclosure and/or data loss (although no loss was suffered and hence no damages due).
For breaches that have taken place after May 2018, the analysis would be carried out under the 2018 Data Protection Act, implementing the GDPR. Employers should ensure that they are therefore compliant with the GDPR, including by putting appropriate technical or organizational measures in place to safeguard against internal and external threats to data protection and cybersecurity. Targeted training to the workforce, in particular the employee data controllers, should be provided on a regular basis. Consideration should be given to keeping the organization’s reporting and breach notifications policies adequate and up-to-date.
For vicarious liability, the findings by the Supreme Court are not confined to the old data protection regime, they apply in respect of the 2018 Data Protection Act too. The judgment confirmed that companies are unlikely to be liable if the employee was engaged “on a frolic of his own”. However, if the misconduct is committed while the employee is purporting to act in the course of his or her employment, furthering his or her employer’s business, vicarious liability will likely be at play.
Much will depend on the facts of each case: it is telling that in this case, the Information Commissioner’s Office (ICO), the U.K. data protection authority, had reportedly investigated the data breach in 2014 and determined that no formal action was necessary. Reportedly the ICO also sent a letter to the Court during the Court of Appeal proceedings, noting that the Commissioner was in agreement with the position adopted by Morrisons. Ensuring compliance with the GDPR by all employees would be ideal, but achieving this without extensive and intrusive monitoring (which is not allowed) is a fine balance. Insurance against cybersecurity risks might be even more prominent going forward.
