Businesses beware: Morrisons and vicarious liability
The Court of Appeal announced its decision yesterday, 22 October 2018, in the latest round of the first data leak class action in the UK brought against Morrison Supermarkets PLC by a group of its former and current employees.
Last year, a claim for compensation was brought by 5,518 of Morrisons’ employees for breach of the Data Protection Act 1998 (DPA), breach of confidence and misuse of private information. The claim arose from the actions of Andrew Skelton, a senior IT auditor who became disgruntled after receiving a disciplinary sanction from Morrisons, his employer. Mr Skelton deliberately uploaded the names, addresses, dates of birth, bank account details and salaries of almost 100,000 Morrisons employees onto a data sharing website and was later found guilty and convicted for 8 years for his actions. Morrisons spent £2 million to rectify the breach.
The claim against Morrisons was that it was both primarily and vicariously liable for the actions of Mr Skelton. The trial culminated in the High Court rejecting the claim of primary liability under the DPA, but accepting the claim of vicarious liability. Morrisons’ appeal to the Court of Appeal was dismissed by the appeal judges, who upheld the High Court’s decision that Morrisons was vicariously liable for the torts committed by Mr Skelton against the claimants.
Vicarious liability: what it is and what the Morrisons case might mean
Vicarious liability is the legal principle that liability can be imposed on one person for the actions or crimes committed by another, even when the first person is not at fault. The most common example is when an employer is found to be vicariously liable for the actions of an employee, as was the case with Morrisons.
For an employer to be vicariously liable for the acts of its employees, the act in question must have been committed in the course of their employment. Morrisons argued that because Mr Skelton disclosed the data at home, on his personal computer and a significant amount of time after he first had access to that data (approximately 2 months), the act could not be deemed to have occurred in the course of his employment. Unfortunately for Morrisons the trial judge disagreed, finding that there was an unbroken sequence of events from when Mr Skelton received the data through to when he leaked it that connected his employment to the breach. The judge also found that, by entrusting him with the payroll data in the first place, it was clear that his task was to deal with that data and Morrisons took the risk when entrusting Mr Skelton with the data. The Court of Appeal agreed with the trial judge’s decision on this.
This finding of vicarious liability on the part of Morrisons, despite demonstrating that it had complied with data protection law, has potentially broad implications for companies and the actions of their employees. It opens companies up to the possibility that they will be held liable for an employee’s actions, even when that action is intended to harm the company and even where steps were taken to rectify the damage caused.
As well as questions of vicarious liability, this case also concerns data protection law and acts as a reminder that companies should make sure their data processing procedures, software and practices are as secure as they can be. Additionally, it would be commercially sensible for companies to consider the terms of their insurance policies: if they are not covered for vicarious liability, they should consider whether to acquire this cover.
Morrisons’ view remains that it was entirely blameless and should not be held responsible for Mr Skelton’s criminal disclosure of data that was carried out as an act of vengeance against it, and Morrisons therefore intends to appeal the decision to the Supreme Court.
For more information and help with this issue or a similar issue please contact Haggai here.