Good news for employers who can take some comfort in the UK Supreme Court’s judgment – in WM Morrison Supermarkets plc (Appellant) v Various Claimants (Respondents) [2020] UKSC 12 – which held that Morrisons was not liable for the actions of a rogue employee who uploaded personal data of almost 100,000 employees to a website to seek vengeance against his employer. The case was brought in connection with the Data Protection Act 1998, but the decision remains relevant under the new legislation.
In this case, an employee of Morrisons was tasked with transferring payroll data to an external auditor. The dataset contained the details of 98,998 employees. Having received a warning for misconduct, he used this task as an opportunity to make a personal copy of the personal data and upload it to a publicly accessible website. The employee then anonymously sent CDs containing the file to three newspapers, alleging to be a concerned member of the public. The newspapers did not publish the data, and instead alerted Morrisons to the data breach. Morrisons took active steps to remove the data and minimise the breach. Nonetheless, approximately 9,000 of Morrison’s affected employees brought a claim against Morrisons and sued for damages in respect of alleged distress, anxiety, upset and damage.
The High Court and Court of Appeal held that Morrisons was vicariously liable for the employee’s breach as his actions were closely connected to the role and task he had been entrusted and his wrongdoing was therefore not enough to break the chain of causation.
The Supreme Court, however, disagreed. The Supreme Court stated that the mere fact the employee’s role gave him opportunity to commit the wrongful act would not be sufficient to give rise to vicarious liability. The test is whether the wrongful actions of the employee are so closely connected to the tasks entrusted to the employee that those wrongful actions may be regarded as carried out in the ordinary course of employment. Here, the employee was not furthering Morrisons’ business and, instead, was pursuing a personal vendetta and, therefore, Morrisons was held not to be liable for the employee’s actions.
Employers will welcome this ruling, but should also remain vigilant as this decision doesn’t rule out the possibility that a successful claim for a data breach caused by a rogue employee could be brought in the future. The Supreme Court was clear that liability will attach to an employer if the employee’s actions were considered to be closely connected to their role. Also, in this case the lower courts had not found any fault on Morrison’s security measures in connection with the breach, and the case turned solely on the employee’s actions. Had Morrison’s not ensured a sufficient level of security was in place to safeguard its personal data, the outcome could have been quite different. Employers, therefore, need to put in place robust internal measures to help maintain the confidentiality of personal data (including training and explaining the impact of data breaches, not only on the employer but on employees themselves) and ensuring appropriate security for the earliest possible detection of a data leak.
