Morrisons supermarket is not liable for the actions of a disgruntled employee who deliberately leaked nearly 100,000 employees' payroll data online, Britain's Supreme Court has ruled.
The case was brought over the actions of Andrew Skelton, a Morrisons auditor, who in 2014 was supposed to be transferring payroll data via encrypted USB stick to KPMG. Holding a grudge after being disciplined for abusing company postage to run his side hustle (a protein powder mail-order biz), Skelton made a separate copy of 99,998 employees' payroll information, dumped it online using Tor to cover his tracks and posted CDs of it to three newspapers.
He timed the breach to coincide with Morrisons' annual results in the hope of damaging its public image. The Bradford Telegraph and Argus refused to publish any news based on the CD's contents, instead informing Morrisons of the breach. For his actions, Skelton was handed an eight-year prison sentence in 2015.
Supreme Court judge Lord Reed ruled: "First, the disclosure of the data on the internet did not form part of Skelton's functions or field of activities," also decreeing that previous findings by the High Court and Court of Appeal were mistaken in law. Whether Skelton had been "acting on his employer's business or for purely personal reasons" was a "highly material" question, remarked the judge, contrasting this with how the Court of Appeal had framed it. Lord Reed's view was:
In a case concerned with vicarious liability arising out of a relationship of employment, the court generally has to decide whether the wrongful conduct was so closely connected with acts the employee was authorised to do that, for the purposes of the liability of his employer, it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment.
He duly found that Skelton going off on a tangent of his own to leak the data was not closely connected enough to his job for vicarious liability to be established.
Morrisons off the hook
"Skelton's wrongful conduct was not so closely connected with acts which he was authorised to do that, for the purposes of Morrisons' liability to third parties, it can fairly and properly be regarded as done by him while acting in the ordinary course of his employment," said Lord Reed in a judgment handed down this morning.
While it sets the law on vicarious liability – the legal principle that employers can be held responsible for the actions of employees who commit crimes while on duty – the full judgment will be cold comfort for the 9,000+ Morrisons employees who had their personal details published online and joined the group litigation against the supermarket.
Thanks to this ruling, it is now a clear legal principle that companies can be held vicariously liable for employees' actions that result in a data breach. Nick McAleenan, lead solicitor for the employees, commented: "For the first time, the Supreme Court has established the legal principle that employers can now be legally responsible for data breaches caused by their employees – under the law of vicarious liability."
Lord Reed ruled:
The imposition of a statutory liability upon a data controller is not inconsistent with the imposition of a common law vicarious liability upon his employer, either for the breach of duties imposed by the DPA, or for breaches of duties arising under the common law or in equity.
Unfortunately for the Morrisons workers, the rogue employee in this case had gone too far rogue for the supermarket to be held liable and to pay compensation – a ruling with which Lords Reed, Kerr, Hodge and Lloyd-Jones, along with court president Lady Hale, unanimously agreed.
We can't get a payout for having our data exposed
Lawyers rushed out to comment on the judgment. McAleenan grieved over the main thrust of today's judgment, saying: "My clients entrusted their personal information to their employer, Morrisons, in good faith. When their information was subsequently uploaded to the internet by a fellow employee, it caused an enormous amount of upset and distress to tens of thousands of people. The Supreme Court's decision now places my clients, the backbone of Morrisons' business, in the position of having no legal avenue remaining to challenge what happened to them."
In contrast, Matthew Gill of law firm Wiggin LLP opined: "If the court's decision had gone the other way, Morrisons would have been liable to 100,000 of its employees for a breach of their data despite Morrisons having done everything it reasonably could have to protect that data. Other employers would have faced an untenable risk that if they were hit by a similar theft of data by an employee, they would be left wholly exposed."
The judgment seems likely to please the Information Commissioner's Office, which we revealed had quietly urged the Court of Appeal to dismiss the case last year without even bothering to look at the employees' legal arguments against Morrisons. ®
Our previous coverage of the High Court's judgment is here.
Sponsored: Webcast: Simplify data protection on AWS