Company not vicariously liable for acts of employee
Morrison Supermarkets v Various Claimants (Supreme Court) [2020]
The Supreme Court has handed down a very important judgment for all data controllers and processors who were concerned that they could be strictly liable in damages for data security breaches even where the acts of the employee in question were done very deliberately to damage the employer.
Facts:
The facts were summarised in our previous reports on this case. In both the High Court and the Court of Appeal Morrisons were held liable for the deliberate acts of their disgruntled employee in deliberately publishing a large database of employee records. It is important to note that there was no allegation that Morrisons as a corporate entity had failed to comply with its data security obligations. Morrisons had taken appropriate steps to protect the security of its employees’ personal data.
Decision:
The Supreme Court overturned the judgments of the lower courts and found that Morrisons was not vicariously liable. In doing so they pointed out that comments in a previous case (quite coincidentally also featuring the supermarket) had seemingly been misinterpreted.
The general principle was established in a case called ‘Dubai Aluminium’ from 2002 namely that the wrongful conduct had to be so closely connected with acts the employee was authorised to do that, for the purposes of potential liability of the employer to third parties, it might fairly and properly be regarded as done by the employee while acting in the ordinary course of their employment.
The disclosure of the data on the internet did not form part of Mr Skelton's functions or field of activities. This was not an act which he was authorised to do. Although there was an unbroken ‘chain of causation’ linking the provision of the data to Mr Skelton for the purpose of transmitting it to the auditors and his disclosing it on the internet, such a connection did not in itself satisfy the close connection test. Whether Mr Skelton was acting on his employer's business or for purely personal reasons was highly material.
The mere fact that Mr Skelton's employment gave him the opportunity to commit the wrongful act was not sufficient to warrant the imposition of vicarious liability. Mr Skelton was not engaged in furthering his employer's business when he committed the wrongdoing. On the contrary, he was pursuing a personal vendetta. His wrongful conduct was not so closely connected with acts which he was authorised to do that it could fairly and properly be regarded as done by him while acting in the ordinary course of his employment.
Points to Note:
- This decision provides welcome confirmation for employers that they will not generally be liable for data breaches committed by rogue employees in such extreme circumstances but the judgment may not be quite the last word on the topic. It is clear that the courts have often struggled with trying to avoid a situation where wronged claimants are left with claims of minimal value against individual employees who have acted wrongly and, therefore, at various times, have allocated risk and liability to employers even where the employee in question has defied express instructions. Each case will be determined on its own facts. It must be remembered that there has never before been a case where the primary motive of the wrongdoer was to harm the employer and so this case is completely exceptional.
- The court referenced yet another case involving a ‘morison’ dating from as long ago as 1874 (Joel v Morison). In that case the court said “The master is only liable where the servant is acting in the course of his employment; but if he was going on a ‘frolic of his own’, without being at all on his master’s business, the master will not be liable”. The critical distinction seems to be between situations where the individual is in some way ‘furthering the employer’s business’ and situations where he is simply ‘pursuing his own interests on a frolic of his own’.
- Had this case ultimately been decided differently, the risks for data controllers and data processors in relation to claims for damages arising out of security breaches would have been considerably increased. Whilst a significant risk remains from security breaches caused by ordinary failures of people, technology and processes, at least the most extreme element of risk seems to have been removed.
- As between data controllers and data processors the apportionment of risk for data security breaches in the context of a services agreement will continue to be highly contentious.