{"id":17606,"date":"2020-04-01T16:09:26","date_gmt":"2020-04-01T15:09:26","guid":{"rendered":"https:\/\/blogs.dlapiper.com\/beaware\/?p=17606"},"modified":"2020-04-01T16:09:26","modified_gmt":"2020-04-01T15:09:26","slug":"uk-supreme-court-upholds-appeal-in-claim-against-morrisons-employer-not-vicariously-liable-for-employees-data-breach","status":"publish","type":"post","link":"https:\/\/blogs.dlapiper.com\/beaware\/uk-supreme-court-upholds-appeal-in-claim-against-morrisons-employer-not-vicariously-liable-for-employees-data-breach\/","title":{"rendered":"UK: Supreme Court upholds appeal in claim against Morrisons: employer not vicariously liable for employee\u2019s data breach"},"content":{"rendered":"<p>Today the Supreme Court allowed an appeal in <em>Morrisons v Various Claimants<\/em><a href=\"#_ftn1\" name=\"_ftnref1\"><strong>[1]<\/strong><\/a>, a significant judgment addressing the extent of an employer&#8217;s liability for data breaches maliciously committed by an employee.<\/p>\n<p>The Supreme Court held that:<\/p>\n<ul>\n<li>The earlier judgments of the High Court and Court of Appeal had misunderstood the principles governing vicarious liability. In particular, the judgment in <em>Mohamud<\/em><a href=\"#_ftn2\" name=\"_ftnref2\"><strong>[2]<\/strong><\/a> was not intended to change the law on vicarious liability.<\/li>\n<li>The correct interpretation of the \u201cclose connection\u201d test is that an employer will only be vicariously liable for the wrongful acts of an employee where the wrongful conduct is so closely connected with acts which the employee is authorised to do, that the acts may fairly and properly be regarded as done by the employee while acting in the ordinary course of his or her employment.<\/li>\n<li>In applying this test, the courts must consider:\n<ul>\n<li>what function or \u201cfield\u201d of activities\u201d the employer has entrusted to the employee; then<\/li>\n<li>whether there was sufficient connection between the position in which he was employed and his wrongful conduct to make it right for the employer to be held liable under the principle of social justice.<\/li>\n<\/ul>\n<\/li>\n<li>Whether an employee is acting on his or her employer\u2019s business or for personal reasons, is The reason why he or she commits the wrongdoing is not.<\/li>\n<li>It is a long-established principle, that the fact that an individual\u2019s employment gives him or her the opportunity to commit the wrongful act is not sufficient to warrant the imposition of vicarious liability.<\/li>\n<li>The Data Protection Act 1998 does not exclude the imposition of vicarious liability for statutory or common law wrongs.<\/li>\n<\/ul>\n<p><strong>Background<\/strong><\/p>\n<p>In November 2013, an aggrieved Morrisons employee, Andrew Skelton, downloaded payroll data he was entrusted with at work onto a personal USB stick. A few months later, he uploaded the data onto a file-sharing website and later sent it to newspapers.\u00a0 Mr Skelton has been convicted of various criminal offences and, in July 2015, received a custodial sentence.\u00a0Over 5,500 of the 100,000 employees, whose personal data was unlawfully disclosed, issued a claim against Morrisons claiming that their employer should be held vicariously liable for\u00a0Mr Skelton&#8217;s misuse of personal information, breach of confidence, and breach of his statutory duties under the Data Protection Act 1998 (the \u201cDPA\u201d), which was then in force.\u00a0In 2018, the Court of Appeal upheld the High Court\u2019s finding that Morrisons had not breached its primary duties owed to its staff as a data controller under the DPA, but that it was vicariously liable for the criminal actions of Mr Skelton. The Supreme Court was asked to determine:<\/p>\n<ol>\n<li>whether the Court of Appeal erred in concluding that the disclosure of data by Mr Skelton occurred in the course of his employment, for which Morrisons should be held vicariously liable; and<\/li>\n<li>whether the DPA excludes the application of vicarious liability to a breach of that Act, or for misuse of private information or breach of confidence.<\/li>\n<\/ol>\n<p>Today, the Supreme Court upheld Morrisons\u2019 appeal, finding that it was not vicariously liable for the criminal acts of Mr Skelton.\u00a0 However, Morrisons lost the argument that the statutory liability regime established under the DPA excluded application of the common law concept of vicarious liability, not that this changed the outcome of the case as Morrisons was not found to be vicariously liable on the facts.<\/p>\n<p><strong>Vicarious liability <\/strong><\/p>\n<p>Vicarious liability is fact specific but an employer can generally be held liable for torts (eg. negligence or breach of confidence) committed by an employee where there is a sufficient connection between the employment and the wrongdoing. Generally, the court will consider whether:<\/p>\n<ul>\n<li>there is a relationship between the primary wrongdoer and the person alleged to be liable which is capable of giving rise to vicarious liability; and<\/li>\n<li>the connection between the employment and the wrongful act or omission is so close that it would be just and reasonable to impose liability?<\/li>\n<\/ul>\n<p>A novel feature of the <em>Morrisons<\/em> case is that the employee\u2019s wrongdoing was intended to harm his employer, the very person alleged to be vicariously liable for that wrongdoing.\u00a0 On this point, the High Court expressed unease that, in reaching its conclusion, the court might be rendered an accessory to furthering the rogue employee\u2019s criminal aims. The Court of Appeal dismissed this unease, confirming that the motives of an employee are irrelevant to the assessment of whether or not an employer is vicariously liable for the employees acts or omissions.<\/p>\n<p>The Court of Appeal held that, whilst Mr Skelton had the intention of harming his employer, there was both: (i) an unbroken thread that connected his employment to the unlawful disclosure; and (ii) a seamless and continuous sequence of events that lead to the data being leaked. Mr Skelton&#8217;s actions were, therefore, carried out during the course of his employment by Morrisons, which was deemed vicariously liable.<\/p>\n<p>The Supreme Court departed from these earlier decisions, holding that they were based on a misunderstanding of the established principles of vicarious liability.\u00a0 An employer will only be vicariously liable for the wrongful acts of an employee where the wrongful conduct is so closely connected with acts the employee is authorised to do, that the acts may fairly and properly be regarded as done by the employee while acting in the ordinary course of his or her employment.\u00a0 To apply this test correctly, it is necessary to determine:<\/p>\n<ul>\n<li>what function of \u201cfield\u201d of activities\u201d the employer has entrusted to the employee; then<\/li>\n<li>whether there was sufficient connection between the position in which he was employed and his wrongful conduct to make it right for the employer to be held liable under the principle of social justice<\/li>\n<\/ul>\n<p>Mr Skelton was authorised to transmit payroll data to Morrisons\u2019 auditors. His wrongful disclosure of the data was not so closely connected with that task that it could fairly and properly be regarded as made by him while acting in the ordinary course of his employment. \u00a0The Supreme Court emphasised that whether an employee is acting on his employer\u2019s business or for personal reasons is highly relevant.\u00a0 Mr Skelton was not engaged in furthering his employer\u2019s business; he was pursuing a personal vendetta.\u00a0 The mere fact that his employment gave him the opportunity to commit the wrongful act is insufficient to impose vicarious liability.<\/p>\n<p><strong>Scope of the DPA<\/strong><\/p>\n<p>Although not relevant to the outcome of the <em>Morrisons<\/em> case, as there was no finding of vicarious liability on the facts, it is nevertheless important to note that the Supreme Court rejected the arguments run by Morrisons that the DPA excludes the application of vicarious liability.\u00a0 In other words, the fact that there is no direct liability under the DPA where a controller has met the requirements of the DPA, does not mean that liability arising on the basis of an employer\u2019s vicarious liability is automatically excluded. Strict vicarious liability could still engage notwithstanding there is no liability under the DPA.<\/p>\n<p>Morrisons argued that:<\/p>\n<ul>\n<li>the DPA provides a comprehensive statutory code for the wrongful processing of personal data;<\/li>\n<li>there is an inconsistency between fault based liability of an employer under the DPA (which considers matters of reasonableness and appropriateness) and strict vicarious liability of an employer at common law (where reasonableness does not come into the equation);<\/li>\n<li>the DPA effectively excludes any scope for liability on an employer for the wrongful processing of personal data by an employee; and<\/li>\n<li>this applies whether the data controller is the employer or the employee (in this case it was the employee).<\/li>\n<\/ul>\n<p>Both the High Court and the Court of Appeal disagreed with this argument and held that the legislative regime imposed by the DPA does not exclude the vicarious liability of an employer for misuse of private information by an employee or for breach of confidence.\u00a0 Put simply, if it was to be excluded, Parliament would have made this clear in the drafting of the DPA.<\/p>\n<p>The Supreme Court agreed expressing the view that Morrisons\u2019 argument that liability was excluded by the DPA regime, was \u201c<em>not persuasive<\/em>\u201d. Instead, the Supreme Court considered that as there is no mention in the DPA of the position of a data controller\u2019s employer, there could not be inconsistency between the fault-based liability underpinning the DPA and the strict vicarious liability of the employer.<\/p>\n<p>The court declined to specifically consider the General Data Protection Regulation, (EU) 2016\/679 (\u201cGDPR\u201d). However, we consider the position is likely to be the same under the GDPR and the new UK Data Protection Act 2018 (\u201cDPA 2018\u201d).<\/p>\n<p><strong>Implications for employers <\/strong><\/p>\n<p>First and foremost, it is worth bearing in mind that the judgment focussed exclusively on vicarious liability only because Morrisons was able to successfully prove on the facts of the case that it had met the legal standard of care for security and processing of personal data under the DPA.\u00a0 Had it not been able to prove compliance with the legal standard of care under the DPA it would have faced direct liability for compensation claims.\u00a0 It is vitally important for employers to ensure that there are appropriate controls and information governance in place to protect personal data.\u00a0 Failing to do so may expose the employer to the risk of revenue based fines under GDPR and the UK DPA 2018 and compensation claims for breach of the GDPR and UK DPA 2018 principles and requirements.\u00a0 These controls should include measures to detect and prevent malicious actions by rogue staff.<\/p>\n<p>Secondly, the DPA 1998 (and in our view based on the same rationale the DPA 2018 and the GDPR) do not create a blanket exclusion of no-fault vicarious liability.\u00a0 Vicarious liability could still be imposed depending on the facts of each case even where there is no breach of the &#8211; fault based &#8211; DPA 2018 or GDPR.<\/p>\n<p>Thirdly, the judgment leaves many important open questions of law.\u00a0 In particular there remains very limited judicial consideration as to how quantum of loss should be calculated for compensation claims under the DPA 1998 and the new DPA 2018 and GDPR.\u00a0 Coupled with this there is also the prospect of US style US class actions with the test case of <em>Lloyd v Google<\/em> due to come before the Supreme Court later this year.\u00a0 Litigation funders hailed Mr Lloyd\u2019s victory in the Court of Appeal against Google last year and have significant resources available to facilitate mass class claims.\u00a0 This emphasises the need for appropriate controls and information governance and insurance to be implemented to mitigate the risk of these claims arising in the first place.<\/p>\n<p><em>This article was authored by members of DLA Piper\u2019s litigation, employment and data protection practices.\u00a0 For more information about the case, please contact your usual DLA Piper contact.<\/em><\/p>\n<p><strong>\u00a0<\/strong><a href=\"#_ftnref1\" name=\"_ftn1\">[1]<\/a> WM Morrisons Supermarkets plc v Various Claimants [2020] UKSC 12<\/p>\n<p><a href=\"#_ftnref2\" name=\"_ftn2\">[2]<\/a> Mohamud v WM Morrison Supermarkets plc [2016] UKSC 11; [2016] AC 677<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Today the Supreme Court allowed an appeal in Morrisons v Various Claimants[1], a significant judgment addressing the extent of an employer&#8217;s liability for data breaches maliciously committed by an employee. The Supreme Court held that: The earlier judgments of the High Court and Court of Appeal had misunderstood the principles governing vicarious liability. In particular, [&hellip;]<\/p>\n","protected":false},"author":50,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"default","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[3],"tags":[118,9076,9077],"class_list":["post-17606","post","type-post","status-publish","format-standard","hentry","category-employment","tag-data-protection","tag-gdpr","tag-vicarious-liability"],"_links":{"self":[{"href":"https:\/\/blogs.dlapiper.com\/beaware\/wp-json\/wp\/v2\/posts\/17606","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.dlapiper.com\/beaware\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.dlapiper.com\/beaware\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.dlapiper.com\/beaware\/wp-json\/wp\/v2\/users\/50"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.dlapiper.com\/beaware\/wp-json\/wp\/v2\/comments?post=17606"}],"version-history":[{"count":0,"href":"https:\/\/blogs.dlapiper.com\/beaware\/wp-json\/wp\/v2\/posts\/17606\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.dlapiper.com\/beaware\/wp-json\/wp\/v2\/media?parent=17606"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.dlapiper.com\/beaware\/wp-json\/wp\/v2\/categories?post=17606"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.dlapiper.com\/beaware\/wp-json\/wp\/v2\/tags?post=17606"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}