Employers vicariously liable for data breach
Employers could be vicariously liable for misusing employee’s data even if they had done all they reasonably could to prevent it.
Various Claimants V Wm Morrisons Supermarket Plc  EWHC3113 before Mr Justice Langstaff Royal Courts Of Justice – 1 December 2017
Employers could be vicariously liable for an employee’s misuse of data even if they had done all they reasonably could to prevent the misuse and were not legally at fault.
On 12 January 2014 a file containing personal details of 99,998 employees of Morrisons was posted on a file sharing website. On 13 March 2014 a CD containing a copy of the data was sent to three newspapers. Following investigations it was identified that Andrew Skelton, who had been formerly employed by the company as an auditor, was responsible for the data disclosure.
In July 2015 Skelton was convicted of offences under the Computer Misuse Act 1990 and under the Data Protection Act 1998 (DPA). He was sentenced to eight years in prison.
The claim was brought by 5,518 employees of Morrisons whose data was disclosed by the actions of Skelton on 12 January and 13 March 2014. They claimed compensation for breach of statutory duty (under section 4(4) of the DPA) and at common law (the tort of misuse of private information and an equitable claim for breach of confidence). The claim was put on the basis that Morrisons had both primary liability for their own acts or admissions and were vicariously liable for the actions of Skelton.
After a two week trial on liability between 9 and 19 October 2017 Mr Justice Langstaff handed his reserved judgment down on 1 December 2017.
He dismissed the claim against Morrisons on the basis that they had not been at fault by breaking any of the data protection principles save in one respect which was not causative of any loss and they could not be held liable for misuse of private information or breach of confidentiality.
The judge concluded, having heard evidence from staff at Morrisons, that they had proper control mechanisms in place to protect data and that those control mechanisms, save for one exception, were appropriately applied. The judge held that the disclosure took place as a result of a criminal act which was not of Morrisons’ doing and which was neither facilitated by Morrisons nor authorised by them.
He did however go on to find, following an exhaustive analysis of the law in relation to vicarious liability, that Morrisons were liable to compensate the claimants for the actions of Skelton.
The judge adopted the test set out in Mohamud v William Morrison Supermarket Plc  UKSC11 where the Supreme Court held that a petrol pump attendant (also employed by Morrisons) was acting in the course of his employment when he physically attacked a customer.
In that case the court looked at two issues:
- What function or field of activities have been entrusted to the employee (i.e. what was the nature of his job). This is to be considered in a broad context.
- Whether there is a sufficient connection between the position in which he was employed and his wrongful conduct for it to be just for the employer to be liable.
Applying that test the judge concluded that Skelton was acting within the course of his employment because there was a thread that linked Skelton’s work to the disclosure which included his actions in downloading data from his personal work computer to a personal USB stick.
The judge noted that in the course of his employment Skelton had regularly been in receipt of information which was confidential or had a limited circulation. They believed he could be trusted to deal with it safely. Morrisons took the risk that they might be wrong in placing trust in him.
Skelton’s role in respect of the payroll data was to receive it, store it and disclose it to a third party. The fact that he chose to disclose it to others was not authorised but was closely connected to what he was tasked to do. When he received the data he was acting as an employee and the chain of the events from then until disclosure was unbroken. The fact that the ultimate disclosure on 12 January 2014 was made from home by use of his personal equipment on a Sunday did not disengage them from his employment.
Further, the criminal motive of Skelton was irrelevant and did not convert an act from one in respect of which there would have been vicarious liability into one for which there would not.
There was sufficient connection between the position in which Skelton was employed and his wrongful conduct to make it right for Morrisons to be held liable under the principle of social justice.
This conclusion would be the same irrespective of whether a breach of duty under the DPA, a misuse of private information, or a breach of the duty of confidence was concerned. The essential acts constituting a legal wrong in each case were the same.
The judged granted Morrisons permission to appeal the decision in so far as it related to vicarious liability.
This is a very significant decision for all organisations in the public and private sector who handle data.
The case also illustrates the broad approach that the courts take to the ‘close connection’ test and employers should be mindful of potential liabilities.
The case states that even where an employer data controller has done everything it reasonably can to prevent its employees misusing the personal data to which they have access, and is not itself legally at fault, whether under the Data Protection Act 1998 or at common law, it may nonetheless be held vicariously liable for any employee misuse and be left open to financial liability.