In Various Claimants v. WM Morrison Supermarkets  UKSC 12, the Supreme Court has reversed the Court of Appeal decision and held that Morrisons supermarket is not liable for the serious (intentional) data breach by its former employee . Employers can breathe a (small) sigh of relief, but staff whose data was impacted by the breach are concerned that this leaves them without an effective remedy.
In this article, we comment on the impact of the Supreme Court’s judgment.
In Morrisons, over 5,000 claimants sought compensation from the well-known U.K. supermarket chain for “distress, anxiety, upset and damage”. The claims arose from a data breach in which Mr. Skelton, a disgruntled former employee, posted colleagues’ payroll information online in 2014. The claimants made claims for breach of statutory duty under the Data Protection Act 1998 (the “DP Act 1998”), misuse of private information and breach of confidence. The High Court ruled that Morrisons was vicariously liable because Mr. Skelton had acted in the course of his employment. This decision was subsequently appealed by Morrisons to the Court of Appeal in 2018.
In its judgment, the Court of Appeal agreed with the High Court and held that employers could be vicariously liable for the misuse of personal data by a rogue employee, even though:
The Court of Appeal’s reasoning was that there was an unbroken thread that linked the employee’s role to the data breach; Morrisons was therefore vicariously liable for the breach.
Morrisons appealed to the Supreme Court, and the Supreme Court hearing concluded in November 2019. In its judgment, the Supreme Court unanimously upheld Morrisons’ appeal on the vicarious liability point. The Court considered two main arguments raised by Morrisons:
1. Vicarious liability: The Court of Appeal erred in concluding that the unauthorised disclosure of personal data by the employee occurred “in the course of his employment”:
2. Breach of Data Protection laws: Morrisons argued that no vicarious liability could be imposed because the DP Act 1998 (now replaced by the GDPR and the Data Protection Act 2018) impliedly excluded the application of vicarious liability to a breach or for misuse of private information or breach of confidence. Morrisons’ argument was that the former employee, in acting outside his employer’s authority, was acting as a data controller and, as such, was responsible under the DP Act 1998 for damages and distress caused to the affected employees – and there is no provision in the DP Act 1998 imposing liability on the employer of a data controller.
The Supreme Court rejected this argument. It found that an employee acting outside his or her authority can be a data controller and liable under data protection legislation, but that does not exclude the imposition of vicarious liability on the employer.
In our recent article on UK group data breach claims, we highlighted how the Court of Appeal’s decision in Morrisons could fuel the appetite for group data breach litigation arising from data breaches by rogue employees. The Supreme Court decision will likely suppress that appetite.
That does not mean, however, that the Supreme Court decision will signal the end of the data breach group actions in the UK. It should be noted that cases on employers’ liability for the acts of their employees are invariably fact specific. Many data breaches are not committed by rogue employees “pursuing a personal vendetta”, like Mr. Skelton. It will often be the case that there is no clear intention on the part of an employee to commit a data breach. In these cases, the employer can still be held vicariously liable. And, of course, claimants could still use any adverse regulatory findings against a company as a springboard to bring group actions for damages.
Employers should clearly delineate the scope of employees’ responsibility for personal data, by ensuring that, through clear training and policies, staff with access to personal data are well aware of the scope of their responsibilities and the limits on authorised disclosure of that data.
The Supreme Court commented on Morrisons’ prompt response to mitigate the impact of the breach and the action taken, including spending significant amounts on identity protection measures for affected employees. Companies are becoming familiar with the importance of immediate remedial action in response to data security incidents – it is a factor that data protection regulators take into account, and the Courts are clearly attuned to this as well. Employers should review and road test their data security incident response plans to ensure a clear and immediate response.
Morrison & Foerster's Trainee Solicitor Matthew Rodin assisted in the preparation of this client alert.