In a landmark case, the UK Supreme Court has ruled that supermarket chain Morrisons is not vicariously liable for a deliberate data breach committed by a former rogue employee. The decision shows that an employer is unlikely to be liable for a malicious data breach committed by an employee, where his/her wrongful conduct is not closely connected with his/her tasks at work.
The court considered the extent of an employer’s liability for a data breach committed by an employee. Mr Skelton, an internal auditor at Morrisons, maliciously disclosed his co-workers’ personal data (including payroll data) on the internet. In a class action suit, over 5,5000 employees sued Morrisons for compensation for loss caused by the data breach, including non-pecuniary loss such as distress. At trial, the judge concluded that Morrisons bore no primary responsibility, but was vicariously liable for the rogue employee’s actions, even thought the data breach was targeted at harming Morrisons. The judge found that Mr Skelton was acting in the course of his employment. Morrisons’ subsequent appeal to the Court of appeal was dismissed.
The Supreme Court unanimously allowed the appeal, finding that Morrisons was not vicariously liable for the data breach. It ruled that the High Court and Court of Appeal had misunderstood the principles governing vicarious liability. The test applicable to vicarious liability is: the wrongful conduct must be so closely connected with acts the employee was authorised to do that, for the purposes of the liability of the employer to third parties, it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment.
The court held that Mr Skelton was authorised to transmit payroll data to the auditors only. His wrongful online disclosure of his co-workers’ personal data, was not so “closely connected” with that task that it could fairly and properly be regarded as being done while acting in the ordinary course of his employment. On long established principles, the fact that his employment gave him the opportunity to commit the wrongful act was not sufficient to warrant the imposition of vicarious liability. The court noted that whether an employee is acting on his/her employer’s business or for purely personal reasons when he commits a wrongful act is relevant in determining whether vicarious liability arises. An employer is not normally vicariously liable where the employee was not engaged in furthering his employer’s business, but rather was pursuing a personal vendetta.
The court also found that vicarious liability may arise for breaches of obligations imposed by the UK Data Protection Act 1998 (which was in force at the time of the breach), as well as for breaches arising at common law and equity, committed by an employee who is a data controller acting in the course of his/her employment.
The decision provides some welcome clarification on the scope of employers’ vicarious liability for malicious data breaches committed by employees. It shows that employers are unlikely to be liable for damages for a deliberate data breach committed by an employee, where the wrongful conduct resulting in the breach is not closely connected with the employee’s tasks. The decision will be of persuasive authority to the Irish courts.