Employer not vicariously liable for employee’s deliberate data breach
In a welcome decision for employers, the Supreme Court has ruled that an employer was not vicariously liable for a significant data breach committed by a disgruntled employee. It could not be said that there was a sufficient connection between the employee’s authorised activities and the wrongful act of publishing the data on the internet.
What does the law say?
Employers may be liable for torts committed by their employees under the doctrine of vicarious liability. Vicarious liability arises where the connection between the employment relationship and the employee’s wrongful act is sufficient to justify holding the employer responsible for the consequences of the employee’s conduct.
The sufficient connection test was considered by the Supreme Court in its landmark decision in Mohamud v WM Morrison Supermarkets plc  UKSC 11 (Mohamud). The Supreme Court ruled that the sufficient connection test involves consideration of two questions:
- What functions or field of activities have been entrusted by the employer to the employee?
- Was there a sufficiently close connection between the employee’s role and the wrongful conduct so as to make it just and reasonable for there to be vicarious liability?
In Mohamud, this approach led the Supreme Court to decide that Morrisons was liable for a petrol station attendant’s unprovoked assault on a customer. They said that the employee had been employed to serve customers and Morrisons had “…entrusted him with that position and…they should be responsible for their employee’s abuse of it”. Although the employee had physically left his workstation and followed the customer to the forecourt to assault him, the Court said this was a “seamless episode” and there had been “an unbroken sequence of events”.
In another case involving WM Morrison Supermarkets plc (Morrisons), the Supreme Court was asked to decide whether Morrisons was vicariously liable for claims arising out a deliberate data breach committed by a disgruntled employee.
What happened in this case?
Mr Skelton was a senior auditor at Morrisons who developed a grudge after receiving a disciplinary warning in July 2013 for using the company’s mail facilities to send out personal eBay packages. During an annual external audit in November 2013, Mr Skelton was given access to payroll data in order to pass it on to Morrisons’ auditors, KPMG. However, Mr Skelton copied the data onto a personal USB and went on to post the personal details of 99,998 Morrisons’ employees onto a file sharing website.
In March 2014, just before Morrisons was due to announce its annual financial report, Mr Skelton sent a CD containing the data to three UK newspapers. Mr Skelton was ultimately arrested and sentenced to eight years’ in prison for offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (DPA).
Over 9000 affected employees brought proceedings against Morrisons for damages in respect of claims of misuse of private information, breach of confidence and breach of statutory duty under the DPA. The claimants claimed that Morrisons was primarily liable for Mr Skelton’s actions. In the alternative, they were vicariously liable. The High Court and the Court of Appeal held that Morrisons was not primarily liable but was vicariously liable for Mr Skelton’s actions.
Relying on the decision in Mohamud, the Court of Appeal said there had been an unbroken sequence of events because:
- Morrisons had trusted Mr Skeleton with the payroll data and his job role included disclosing the data to a third party (namely KPMG). Therefore, the subsequent disclosure of the data online was closely related to his job, even though it was unauthorised.
- The fact that the wrongful acts took place at Mr Skelton’s home, on his own computer and on a Sunday several weeks after he had been given access to the data in a work capacity did not prevent the close connection test from being satisfied.
- Mr Skelton’s motivation for doing what he did (i.e. revenge for having been disciplined) was irrelevant.
Morrisons appealed to the Supreme Court.
What was decided?
The Supreme Court allowed Morrisons appeal and held that they were not vicariously liable for Mr Skelton’s actions.
The Court said that the High Court and Court of Appeal had gone wrong in their interpretation of the decision in Mohamud. That decision was not intended to elevate the importance of the causal and temporal connection between events. Rather, the references to a “seamless episode” and an “unbroken sequence of events” were aimed at the capacity in which the employee was acting. Further, the reference to the irrelevance of motive was specific to the Mohamud decision.
In this case, it simply could not be said that the disclosure of data on the internet formed any part of Mr Skelton’s field of activities. The close causal and temporal link between the authorised activities (i.e. passing the data to KPMG) and the unauthorised activities (i.e. publishing the data on the internet) was not enough to demonstrate a sufficient connection justifying the imposition of vicarious liability. Further, Mr Skelton’s motive for acting as he did was material. It was clear that he was pursuing a personal vendetta against Morrisons. For these reasons, the Court decided that it was not just and reasonable to make Morrisons vicariously liable for the conduct.
Separately, the Court ruled that the DPA did not exclude the possibility of vicarious liability for breaches of the DPA and/or of obligations arising at common law or in equity. The imposition of a statutory duty on an employee acting as a data controller was not inconsistent with the imposition of vicarious liability on the employer. However, in this case, it was not just and reasonable to impose vicarious liability on Morrisons.
What are the learning points?
This is a welcome decision for employers which shows that the concept of vicarious liability is confined by the employee’s field of activities. The fact that the employee’s job provides them with the opportunity to commit a wrongful act is not enough to establish a sufficient connection. There is a distinction between cases where the employee is misguidedly attempting to further his employer’s business interests and cases where the employee is simply “on a frolic of his own” and pursuing his own interests. An employee acting to further a personal vendetta against his employer is very likely to be in the latter camp.
Whilst employers should be mindful of the risk of vicarious liability for breaches of the Data Protection Act 2018 and the GDPR (the successors to the DPA), the circumstances in which an employee will be elevated to acting as a data controller will be relatively rare. Most employee data breaches are caused by negligence and do not involve criminal acts. Nonetheless, employers should limit employees’ access to personal data and review access privileges on a regular basis.