• home
• about us
• what we do
  • business clients
    • summary
    • contracts
      • technology
      • outsourcing
      • commercial
      • end-to-end deal support
      • post-signature assistance
    • e-commerce
    • data protection
    • risk audits and due diligence
    • training
  • public sector
    • summary
    • procurement compliance
    • contracts
      • ICT
      • outsourcing
      • supply
      • end-to-end procurement support
      • post-signature assistance
    • data protection and FOI
    • risk audits and due diligence
    • training
• our lawyers
  • summary
  • Paul Golding
  • Tracey Tarrant
• who we act for
  • summary
  • SMEs
  • nationals/multi-nationals
  • overseas companies
  • public sector
  • in-house lawyers
  • law firms
  • our clients
  • what others say
• our fees
• legal updates
• contact us

TRG law

law simplified

Vicarious liability for data security breaches

Morrison Supermarkets v Various Claimants (Court of Appeal) [2018]

The Court of Appeal has upheld a decision that could make employers vicariously liable for their employees’ actions even if they have taken every conceivable preventative step and bear no criminal responsibility. The court upheld a High Court ruling that supermarket chain Morrisons was liable for the actions of former employee Andrew Skelton. Morrisons said it will appeal to the Supreme Court.

Facts:

The facts of the case are set out in our report on the original High Court decision (see http://www.trglaw.com/news255.html)

Decision:

The Court of Appeal held that the vicarious liability of an employer for misuse of private information by an employee and for breach of confidence by an employee has not been excluded by data protection legislation.

Notwithstanding that Mr Skelton committed the acts complained of: (1) from a personal computer; (2) at home; and (3) outside of working hours; there was, according to the court, a “seamless and continuous sequence” or “unbroken chain” of events linking back to his employment. In coming to that conclusion the judges cited with approval the recent judgment in Bellman v Northampton Recruitment in which it was held that in assessing whether an employer should be held vicariously liable for the acts of an employee the court must assess whether the relevant acts fall “within the field of activities assigned to the employee” and, insofar as this is the case, whether there is a "sufficient connection" between the position in which the employee was employed and the relevant act for liability to attract to the employer. The Court of Appeal held that in this case "the tortious acts of Mr Skelton in sending the claimants’ data to third parties were within the field of activities assigned to him by Morrisons" and that an employer could be vicariously liable even where the intention of the employee committing the relevant act "was to harm his employer rather than to achieve some benefit for himself or to inflict injury on a third party". The employee's motive in committing the relevant act is seemingly irrelevant.

Points to Note:

• The Court of Appeal's judgment leaves employers exposed to potential claims arising from the actions of rogue employees even in circumstances where the stated aim of those employees is to deliberately harm their employer and the employer has not breached data protection legislation themselves.
• It is important to note that the appeal did not concern vicarious liability for breaches of the Data Protection Act. The original judge had previously dismissed claims that Morrisons were in breach of their statutory duties under the DPA. The appeal also did not question the finding of the original judge that at the relevant point in time when the acts in question occurred Morrisons was not the data controller. The lack of appeals on these points is unfortunate as they raise interesting questions that could have provided useful guidance to businesses.
• Implementing "appropriate organisational and technical measures", monitoring them and updating them as necessary from time to time may not be sufficient to ensure that an employer avoids liability to affected third parties but they will go a long way to limiting the employer's potential exposure to sanctions by the Information Commissioner.
• Insurance. The Court of Appeal clearly thought this was an appropriate option. “The solution is to insure against… losses caused by dishonest or malicious employees."
• An appeal to the Supreme Court is expected. Morrisons was refused leave to appeal by the Court of Appeal but it is understood that it intends to seek leave to appeal from the Supreme Court itself. Assuming that the Supreme Court either refuse leave to appeal (unlikely) or upholds the Court of Appeal's findings, the claim will be remitted to the High Court to determine Morrisons' liability in damages. The Court of Appeal made clear that they believed that thus far none of the claimants had in fact suffered direct financial losses but the claimants allege that the breach left them exposed to the risk of identity theft and potential financial loss. Quite how a court can compensate for that potential risk is not entirely clear.

back to archive

© 2012 - TRG Law Limited | legal notices | privacy & cookies | sitemap | website design and hosting by projectfive
tel: +44 (0) 1483 730303  email: info@TRGlaw.com