A data breach Doomsday for defendants?

WM Morrisons Supermarkets PLC v Various Claimants[2018] EWCA Civ 2339 

The facts

Morrisons employed a senior IT internal auditor called Mr Skelton. He was given a verbal warning following his unauthorised use of Morrison’s postal facilities to send parcels he had paid the postage for. As subsequent events showed he was now an employee with a grudge.

A few months later Morrisons’ external auditors requested copies of Morrisons’ payroll data. Mr Skelton was involved in the transfer of that data given his responsibilities at Morrisons. Having copied the pay roll data onto a personal USB stick he later posted a file containing the personal details of almost 100,000 Morrison employees on to a file sharing website. Despite the efforts to cover his tracks Mr Skelton was quickly discovered to be the party responsible. He was convicted and sent to prison.

The claimants in this group action (approximately 5,500 in number) were employees whose personal details (such as names, addresses, dates of birth, telephone numbers, NI numbers, bank sort codes, bank account numbers and salary details) had been revealed by the data breach. They pursued claims against Morrisons for misuse of private information, breach of confidence and breach of the Data Protection Act 1998 (“the DPA”). It was contended that Morrisons was primarily liable in these claims but if not it was vicariously liable for Mr Skelton’s actions.

First instance decision

The court ordered liability to be tried first. To the extent that the claimants sought to argue that Morrisons were directly liable for the disclosure they were unsuccessful. However that’s where the good news ended for Morrisons as there was a finding that they were vicariously liable to the claimants.

The court rejected Morrisons’ contentions that the DPA implicitly excluded the possibility of vicarious liability. Their assertion, that the effect of the DPA was to exclude any scope for vicarious liability in claims for misuse of private information or for breach of confidence, met the same fate.

Looking specifically at vicarious liability principles the court was satisfied, with particular regard to the approach in Mohamud v WM Morrison Supermarkets PLC [2016] UKSC 11 that there was a sufficiently close connection between the position in which Mr Skelton was employed and his wrongful conduct such that Morrisons should be held vicariously liable for his wrongdoing. Morrisons appealed.

Court of Appeal decision

The Court of Appeal was satisfied that principle of vicarious liability was not expressly or impliedly excluded by the DPA.

That left the primary issue of vicarious liability to be considered again. Regrettably for Morrisons it did not result in any change of approach. Morrisons sought to argue that the close connection test was not satisfied as, even if the copying onto the USB stick was done in the course of employment, the disclosure was not. It asserted the act that caused the harm was done by Mr Skelton at home, using his computer, on a Sunday, several weeks after he had downloaded the data onto his personal USB stick. The Court of Appeal was unpersuaded by this. It said that the claimants’ cause of action against Mr Skelton was established when he downloaded the data onto his USB stick at work. Morrison’s contention that for vicarious liability in these circumstances the employee had to be “on the job” was robustly rejected. The Court of Appeal noted that there were many decisions where vicarious liability had been established in relation to acts away from the workplace.

There was discussion as to the relevance or otherwise of the wrongdoer’s motive and whether a finding against Morrisons would make the court an accessory in furthering Mr Skelton’s criminal aim of getting revenge on Morrisons. The Court noted that employers had been held to be vicariously liable in cases where the motive was greed, racism or sexual gratification and saw no reason why motive (in this case in the form of revenge) should be a consideration in determining whether an employer should be held liable for an employee’s actions.

Equally, arguments that imposing liability here would place too great a burden on employers were robustly rejected. The Court of Appeal made it clear that the “…availability of insurance is a valid answer to the Doomsday or Armageddon arguments put forward…”.

What this means for you

Tim Smith, BLM’s head of technology and media says:

“This was a short and robust judgment that fully upheld the underlying decision that Morrisons are vicariously liable for the actions of their rogue employee. The judgment was unanimous, by a panel headed by the Master of the Rolls and was turned around in less than a fortnight. This suggests that the Court did not find the issues very challenging and so far not one judge has expressed any sympathy with the defendants’ arguments save for the High Court judge when it came to the point that vicariously liability enabled the rogue employee to get his revenge on Morrisons. However, even then the Court was quick to dismiss the employee’s motivation as being irrelevant.

Whilst Morrisons have already said that they will be seeking to take the appeal to the Supreme Court it may be hard for them to persuade the Supreme Court to overturn the underlying decisions. The list of authorities imposing vicarious liability on innocent employers in a range of situations for everything from theft to sexual abuse is very extensive and many of them are Court of Appeal and Supreme Court decisions. Whilst personal injury lawyers will probably find the judgment unsurprising it is a very new experience for vicarious liability to play such a significant role in a technology/media claim.

The Court accepted that the outcome is tough on innocent employers but the bottom line as far as the Court seems to be concerned is that this is what vicarious liability is all about and that it would be even tougher on innocent victims if vicarious liability did not exist.

The Court made it clear that the solution is for organisations to buy insurance. Faced with the prospect of vicarious liability for employees’ data breaches, even where they have state of the art organisational and technological measures in place to prevent breaches, organisations would be well advised to take the hint and take out cover as soon as they can."

Steve Kuncewicz, a technology and media partner in BLM’s business advisory team says:

“Vicarious liability is an issue for all businesses to grapple with, and this judgment proves that data protection is no exception. Even though this case was decided under the Data Protection Act 1998, the GDPR and new Data Protection Act 2018 have only increased the likelihood of group actions in the event of a breach.

The new legislation is framed around risk-based compliance, and complying with the new requirement of accountability means that having policies and procedures in place to both deter breaches and deal with them effectively when they happen is more important than ever. Strong internal controls backed up by planning in peacetime for immediate responses where possible are the best defence from employees who have taken offence, and data protection is now squarely at the top of the corporate risk agenda.”

Disclaimer: This document does not present a complete or comprehensive statement of the law, nor does it constitute legal advice. It is intended only to highlight issues that may be of interest to clients of BLM. Specialist legal advice should always be sought in any particular case.

Who to contact


Partner, Head of Creative, Digital & Marketing sector group

View full profile >