Morrisons not vicariously liable for malicious data breach
In one glimpse of spring sunshine for employers, the Supreme Court has handed down its decision in WM Morrison Supermarkets plc v Various Claimants – the supermarket data protection judgment. It has reversed the previous decisions to hold that the employer was not vicariously liable under data protection law for the malicious acts of an employee who unlawfully uploaded payroll data to the internet. In the Supreme Court’s view, the employee was not acting in the course of his employment.
Regular readers will remember previous updates and email alerts regarding the decisions of the lower courts, which found that Morrison’s was liable for the employee’s unlawful acts, despite not having done anything wrong or unlawful itself. These decisions signalled a potentially worrying development for innocent employers who could be held liable for an employee’s deliberately unlawful act. This latest decision by the Supreme Court has now gone some way to reducing that impact.
So what was it all about? The employee in this case was a senior IT internal auditor with a grudge against his employer, Morrisons. While handling payroll data as part of his job, he made a personal copy of workforce payroll data, and uploaded it to a data sharing website. He also anonymously sent the data to newspapers, claiming to be a concerned member of the public. The aim of his actions was to cause damage to Morrisons. Although the employee was subsequently arrested and convicted of fraud (and went to prison) a large number of other Morrisons employees brought claims against the supermarket for breaches of the Data Protection Act 1998 (then in force).
The High Court and the Court of Appeal found that Morrisions had no primary responsibility for the acts as it had neither caused nor contributed to the data breach. However, it was found that there was a sufficient connection between the unlawful acts and the employee’s employment (the fact that he was legitimately allowed to process the payroll data), such that Morrisons was vicariously liable for the employee’s actions, and so would be obliged to pay compensation to the claimants. With such a large number of claimants this would be potentially very expensive. Morrisons appealed to the Supreme Court.
The lower court decisions set alarm bells ringing for employers, as any employee with a grudge and access to personal data could set them up for liability, regardless of what protection and prevention was put in place by the employer – effectively there was nothing an employer could do to prevent such liability.
So the Supreme Court’s decision that Morrisons is not vicariously liable for the employee’s actions is hugely welcome. It has confirmed that an employer will only be liable for the actions of an employee where the unlawful conduct in question is so closely connected with acts that the employer had authorised the employee to do, that the unlawful conduct may be properly and fairly regarded as done in the ordinary course of his or her employment. Essentially, for a case to succeed, the employee needs to be furthering the business of the employer, albeit in an unlawful way. The fact that it was the employee’s employment gave him the opportunity to commit the wrongful act was not enough to satisfy the test for vicarious liability.
Based on this test, the Supreme Court noted that the employee in question had not been furthering Morrison’s business, quite the opposite, as he was pursuing a personal vendetta against Morrisons. He was not, therefore, acting in the course of his employment and Morrisons is off the hook.
While this may be a welcome relief for employers, it is worth noting that it is not a complete “get out of jail free” card. Had the employee not been acting maliciously, but had simply sent data to the wrong person, or was genuinely but mistakenly trying to whistle-blow, he could well have been found to be acting in the course of his employment and Morrisons would have been liable.
It is therefore still important for employers to ensure that staff are fully aware of their obligations under the Data Protection legislation, and robust processes are maintained to reduce the risk of data being inadvertently or deliberately leaked or misused.