Vicarious Liability for Deliberate Data Breaches - More Reasons to Review Business Insurance Needs
Vicarious liability is the imposition of liability on an employer for the acts of its employees during the course of their employment. In WM Morrison Supermarkets Plc v Various Claimants  EWCA Civ 2339, the Court of Appeal held that Morrisons was vicariously liable to its current or former employees whose personal and confidential data was misused by being disclosed on the internet by the criminal act of another employee.
In 2014 Andrew Skelton, whilst employed by Morrisons as a senior IT internal auditor, posted the names, addresses, salary details, national insurance numbers and bank account details of almost 100,000 Morrisons' staff members and sent them to various newspapers. Mr Skelton had developed a grudge against Morrisons following disciplinary proceedings against him in 2013, as a result of which he was given a formal verbal warning.
Morrisons’ head management were made aware of the disclosure and within a few hours had taken steps to ensure the website on which the data had been posted had been taken down. Morrisons also alerted the police, and Mr Skelton was subsequently convicted of fraud, of offences under the Computer Misuse Act 1990 and section 55 of the Data Protection Act 1998 (“the DPA”). He was sentenced to eight years in prison.
In December 2015, 5,518 Morrisons employees commenced proceedings against Morrisons seeking damages for misuse of private information, breach of confidence and breach of statutory duty owed under section 4(4) of the DPA (together “the Causes of Action”). On the issue of vicarious liability, at first instance the Judge, having rejected Morrisons’ argument that the DPA by its terms excluded any possibility of vicarious liability, held that there was a sufficient connection between the position in which Mr Skelton was employed and his wrongful conduct (put into the position of handling and disclosing the data as he was by Morrisons) to make it right for Morrisons to be held vicariously liable in respect of any of the Causes of Action. The Judge did, however, conclude his judgment by saying that he was troubled by Morrisons’ submission that the wrongful acts of Mr Skelton were deliberately aimed at the party whom the claimants sought to hold responsible, such that to reach the conclusion he had might render the Court an accessory in furthering Mr Skelton’s criminal aims.
Morrisons appealed to the Court of Appeal on three grounds. The first and second grounds were essentially that the DPA excluded the application of vicarious liability in respect of the causes of action; the third ground was that the wrongful acts of Mr Skelton did not occur during the course of his employment and therefore Morrisons was not vicariously liable for those acts.
With regard to the first and second grounds, the Court of Appeal found that Morrisons’ concession that the causes of action for misuse of private information and breach of confidentiality are not expressly excluded by the DPA in respect of the wrongful processing of data within the ambit of the DPA. Furthermore, the complete absence of any provision of the DPA addressing the situation of an employer where an employee data controller breaches the requirements of the DPA, led inevitably to the conclusion that the common law remedy of vicarious liability of the employer in such circumstances was not expressly or impliedly excluded by the DPA.
With regard to the third ground, the Court of Appeal referred to the tests set out by the Supreme Court in Muhamud: firstly what was the nature of the employee’s job and secondly was there a sufficient connection between the employee’s position and his or her wrongful conduct to make it right for the employer to be held liable? In response to the first question it was noted that Morrisons deliberately entrusted Mr Skelton with the payroll data, and so far as the payroll data went his task was to receive and store it, and disclose it to an authorised third party. Whilst he made unauthorised disclosures to third parties, it was nonetheless closely related to what he was tasked to do.
In response to the second question, Morrisons argued that the ‘close connection’ test was not satisfied as the act which caused the harm (the disclosure of the data) was done by Mr Skelton at home, using his own computer, on a Sunday, several weeks after he had downloaded the data at work onto his personal USB stick. The Court of Appeal rejected that argument, noting that the claimants’ causes of action in tort against Mr Skelton were already established when he improperly downloaded their data onto his USB stick whilst at work. It also endorsed the Judge’s evaluation of the events as a “seamless and continuous sequence” and “unbroken chain” of events. With regard to the issue which had troubled the Judge, the Court of Appeal held that Mr Skelton’s motive was irrelevant.
Morrisons also argued that, given the number of actual and potential claimants, the burden of a finding of vicarious liability on them (and potentially other innocent employers) would have been enormous. The Court of Appeal dismissed that argument, pointing out that whilst Mr Skelton’s conduct had involved a very large number of employees, seemingly none of them had suffered any financial loss. However, had Mr Skelton misused the data to steal a large sum of money from an employee’s bank account, on Morrisons’ argument such a victim may have no remedy against Mr Skelton personally.
As such, the Court of Appeal found Morrisons vicariously liable for the torts committed by Mr Skelton against the claimants and dismissed the appeal.
This decision has divided opinion. Whilst some consider it surprising that an employer can be liable for the malicious and criminal acts of a disgruntled employee, particularly where the employee’s motive was to cause harm to the employer, others say that well-established principles point to the imposition of vicarious liability on Morrisons. Whilst the decision does seem unfair at first glance, as the Supreme Court commented in Muhamud: “The risk of an employee misusing his position is one of life’s unavoidable facts.”
It is possible we will see an increase in ‘class action’ cases against companies where there has been a data breach, particularly where the leak has come from within the company itself. The decision is likely to encourage employers to reduce their exposure by monitoring the staff handling of personal data. Ultimately, however, there remains a question mark over what the exposure actually is. Whilst the Morrisons breach affected thousands of employees, it appears none of them suffered any actual loss or harm.
Cyber, crime, data breach and employee malfeasance insurance is increasingly common. Businesses need to be mindful that they can be held liable for data breaches by employees, even when those employees intentionally act contrary to the practice’s interests. They need to take steps to reduce the risk of a breach, but consider insurance to cover the risk that "one of life’s unavoidable facts" occurs.
Immediately following the handing down of the judgment, Morrisons indicated an intention to appeal to the Supreme Court.
For more informaition, please contact Graham Taylor.