Byline: Luke Patel

In a landmark judgment the Supreme Court has ruled that WM Morrisons Supermarket Plc is not vicariously liable for a massive data breach.

In 2013, Mr Skelton, a senior auditor of Morrisons, published personal details of almost 100,000 Morrisons’ employees online, including names, contact details, bank account numbers and salaries.

He also sent CDs containing the data to three national newspapers. The reason for his actions was an attempt to frame a fellow employee who had been involved in disciplinary proceedings against him.

Once Morrisons was alerted to the breach, it took immediate steps to ensure that the data was removed from the internet, instigated investigations and informed the Police. Mr Skelton was arrested and subsequently convicted and sentenced to 8 years in prison.

A class action was brought against Morrisons by 9,263 of the employees affected by the breach alleging that the supermarket was directly or vicariously liable for the breach of the Data Protection Act 1998 and/or the misuse of private information and/or breach of confidence.

Morrisons was found to be vicariously liable at first instance and at the Court of Appeal, Morrisons therefore appealed to the Supreme Court.

The Supreme Court upheld Morrisons’ appeal finding that the lower courts had misapplied the principles governing vicarious liability.

The Supreme Court found that in cases concerning vicarious liability arising out of a relationship of employment; the court had to decide whether the wrongful conduct was so closely connected with the acts which the employee was authorised to do that, for the purposes of the liability of the employer, it may fairly and properly be regarded as being done by the employee in the ordinary course of his employment. This is what is known as the “Close Connection Test”.

The Supreme Court clarified the application of the Close Connection Test and stated that:-

•   The test did not mean that there was simply an unbroken series of events between the employee acting in the course of employment and the misconduct.  

•   The employee's motive i.e. whether they were acting on their employer’s business, however misguided, or for purely personal reasons (on a “frolic of their own”) was highly material.  

•   The fact that the employment gave the employee the opportunity to commit the wrongful act was not sufficient to warrant vicarious liability.

Applying the above principles, the Supreme Court held that Morrisons was not vicariously liable for Mr Skelton’s action because the disclosure of the data online was not part of Mr Skelton’s field of activities as it was not something that he was authorised to do. Also, Mr Skelton was not engaged in furthering his employer’s business when he committed the unlawful act but instead he was pursuing a personal vendetta.

This decision will undoubtedly come as a huge relief to Morrisons and be welcomed by employers who suffer mass data breaches.

However, it should not be taken by employers as a blanket exemption from vicarious liability in such situations as Morrisons had strong compliance procedures in place to protect its employees’ data which was only breached as a result of one of its employees having a grievance against the company.

Employers should ensure that they have proper safeguards and policies in place to ensure that they are protected as far as possible against liability for malicious data breaches.

If you require assistance in any dispute regarding employment or workplace matters, or advice in respect of data protection then please contact Luke Patel on 0113 227 9316 or at “LPatel@LawBlacks.com”.