+44(0)20 7638 9271

Supermarket not liable for deliberate data breach by employee

In a landmark judgement dated 1 April 2020, the Supreme Court ruled in the case of WM Morrison Supermarkets plc v Various Claimants that Morrisons was not liable for a data breach by one of its employees. The case was primarily concerned with whether the supermarket was responsible, and therefore liable to pay compensation for the actions of one of its employees, Mr Skelton, where Mr Skelton had wrongfully disclosed personal data by uploading to the internet payroll information belonging to around 100,000 of the supermarket’s employees.

Background

As part of his role as a senior auditor for Morrisons and to provide data to KPMG as part of an external audit, Mr Skelton was given access to the payroll data of around 126,000 employees of the supermarket including their names, addresses, gender, dates of birth, phone numbers, national insurance numbers, bank sort codes, bank account numbers and salaries. Under the Data Protection Act 2018 (enacting the GDPR) financial information relating to individuals is classed as ‘Special Category Data’ and carries enhanced obligations on the Data Controller in respect of how it is processed and protected.

Previously, Mr Skelton had been given an oral warning for an unrelated incident by the supermarket as a result of which it appeared he held a grudge which the Court concluded motivated his subsequent actions.

Mr Skelton copied the personal data he provided to KPMG and published it online from his home, and also sent it to several newspapers who did not publish the data, but instead notified the supermarket. The supermarket informed the police, and Mr Skelton was found guilty in 2015 of the criminal charges brought against him and was sentenced to eight years in prison.

Judgement

To determine if the supermarket had vicarious liability arising out of the employment relationship, the Court considered if Mr Skelton’s disclosure of the data was so closely connected with acts he was authorised to do that, for the purposes of the liability of his employer to third parties, his wrongful disclosure may fairly and properly be regarded as done by him while acting in the ordinary course of his employment. This is known as the close connection test.

The Court concluded that Mr Skelton was pursuing a personal vendetta and, therefore, his actions were not what Morrisons could reasonably expect of him in the performance of his duties as an employee. The mere fact that the opportunity to commit the wrongful disclosure has arisen through Mr Skelton’s employment did not in itself result in the supermarket being held vicariously liable.

Analysis

This case presented as an opportunity for the Supreme Court to provide some clarification on the law on vicarious liability. In particular, the Court said that its previous decision in Mohamud v WM Morrison Supermarkets plc [2016] UKSC 11 (Mohamud) had been misinterpreted. For example, it is not the case that the motive of the employee is irrelevant, as had been applied by the lower Courts following the judgement in Mohamud, but whether the employee was acting in the course of his employer’s business at the time he committed the act. The Supreme Court reiterated that the close connection test is the correct test to be applied.

It is possible that the close connection test will leave victims of data breaches without adequate remedy. We are presented with position where claimants, who have suffered the same loss, may or may not be able to recover from the employer and that decision will depend on the employee’s relationship with the employer and if their actions are considered to be in the ordinary course of their employment.

This judgement will provide some comfort for employers as it clarifies when they will be held vicariously liable for the actions of their employees; employers can be legally responsible for data breaches caused by their employees under the doctrine of vicarious liability if the employee is acting in the ordinary course of his employment and the relevant tests are satisfied.

That said, employers should not rely on this judgment which was judged very much on the facts of the matter rather than provide a blanket ‘get out’ for employers. Employers should continue to monitor and assess their policies on handling personal data given the increased regulation and responsibilities in the General Data Protection Regulation and the Data Protection Act 2018.

Further information

For more information on any employment related issues, please contact:

  • Toby Stroh at t.stroh@druces.com or +44 (0)20 7216 5564
  • Charles Avens at c.avens@druces.com or +44 (0)20 7216 5568
  • Alice Williams at a.williams@druces.com or +44 (0)20 3794 5969

And for more information on data protection issues arising, please contact: 

  • Neil Pfister at n.pfister@druces.com or +44 (0)20 7216 5589