UK: Supreme Court rules that Morrisons not vicariously liable for 'rogue' employee's data breach

The Supreme Court has today overturned the Court of Appeal's ruling in Morrisons Supermarkets Plc v Various Claimants. The decision re-establishes that, when determining an employer's vicarious liability, a key focus is whether the employee was pursuing their own, rather than their employer's, objectives when doing the wrongful act.

The test for rendering an employer vicariously liable for an employee's actions is well established, namely there has to be a sufficiently close connection between what the employee was employed to do and the behaviour, such that it is fair and proper to regard the employee as acting in the course of their employment and not "on a frolic of their own".  It has been less clear how broadly that test should be interpreted, causing concern for employers given the lack of "reasonable steps" defence against vicarious liability for torts.  For example, it was suggested that the Supreme Court's ruling in Mohamud v WM Morrison Supermarkets meant that, where an employee's role involves interacting with customers in some way, an employer might be vicariously liable for any employee conduct towards customers, even if the employee engages in a wholly different nature of interaction from that envisaged (such as by using force or away from the usual work station) and regardless of motive.

The latest case also concerned a former Morrisons’ employee, who was found guilty of stealing and unlawfully sharing the names, addresses, bank account, salary and national insurance details of almost 100,000 of his former colleagues with news outlets and data sharing websites. The Court of Appeal held that Morrisons was vicariously liable for his actions, on the basis that sending data to third parties (such as the company's external auditors) was within the “field of activities” assigned to the employee as a senior auditor. It considered that there was sufficient connection between his job and the wrongful conduct for the employer to be held vicariously liable, even where it had done as much as reasonably possible to prevent the misuse and the employee’s intention was to cause reputational or financial damage to the employer.

The Supreme Court has now made clear that it is not sufficient for vicarious liability that the wrongful act is of the same kind as those which it is within the employee's authority to do, nor is the mere fact that the job provides the employee with "the opportunity to commit the wrongful act".  It is also not enough to show that the wrongful act was the culmination of an unbroken temporal or causal chain of events regardless of the employee's motive. The courts below had misinterpreted the Supreme Court’s judgment in Mohamud, which was not intended to change the law.  In Mohamud it was key that the employee was purporting to act on his employer's business, threatening the customer not to return to the employer's premises, and not acting to achieve some personal objective.  In contrast, in the current case "the employee was not engaged in furthering his employer’s business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings some months earlier."   The ruling helpfully re-establishes that employers should not be liable for the acts of employees while engaged on "frolics of their own", ie pursuing their own rather than their employer's objectives.

Although it did not affect the outcome, the Supreme Court also considered Morrisons’ contention that the Data Protection Act 1998 (DPA) excludes the imposition of vicarious liability in relation to data breaches under that Act and for the misuse of private information or breach of confidence – in effect that the DPA is a statutory scheme which “owns the field” in this respect. The Supreme Court rejected this argument, stating that: “the imposition of a statutory liability upon a data controller is not inconsistent with the imposition of a common law vicarious liability upon his employer, either for the breaches of duties imposed by the DPA, or for breaches of duties arising under the common law or in equity.”

The Supreme Court's decision will likely result in a collective sigh of relief for organisations both in relation to their liability for employees' actions generally and their potential liability for data breach class actions. However, it is important to note that it does not close the door on data breach class action compensation as a whole. Boardrooms should still be examining the technical and organisational measures they have in place to prevent personal data breaches in order to reduce the risk of regulatory enforcement and class actions.  Our data protection team has published a detailed ebulletin on the ruling available here.

Our Data Class Actions team has published an article about the future of class actions, covering this decision, in the August 2020 issue of PLC Magazine. For further details see our Cyber and Data Security blog post here.